Search

US-12625979-B2 - Enforcement of authorization rules across data environments

US12625979B2US 12625979 B2US12625979 B2US 12625979B2US-12625979-B2

Abstract

The technology disclosed herein enables enforcement of high-level rules defined by a user across multiple data environments. In a particular embodiment, a method includes receiving a high-level rule from a user for enforcement across a plurality of data environments and interpreting the high-level rule into a computer-readable rule. The method further includes translating the computer-readable rule into an instruction compatible with a data environment of the plurality of data environments. The method also includes providing the instruction to the data environment, wherein the data environment implements the high-level rule within the data environment based on the instruction.

Inventors

  • Tarun Thakur
  • Maohua Lu

Assignees

  • VEZA TECHNOLOGIES, INC.

Dates

Publication Date
20260512
Application Date
20220504

Claims (20)

  1. 1 . A method comprising: receiving a high-level rule in natural language from a user for enforcement across a plurality of data environments, wherein the high-level rule identifies a user; interpreting the high-level rule into a computer-readable rule using a natural language processing algorithm to determine an intent behind words in the natural language, wherein interpreting the high-level rule includes validating that the high-level rule includes sufficient information such that a policy intended by the high-level rule can be implemented within the plurality of data environments; querying a plurality of identity environments for identities of the user corresponding to different ones of the plurality of data environments, wherein at least one of the identities is different from another of the identities; selecting an identity of the identities that corresponds to a data environment of the plurality of data environments; translating the computer-readable rule into an instruction compatible with the data environment, wherein the instruction uses the identity to indicate the user; and providing the instruction to the data environment, wherein the data environment implements the high-level rule within the data environment based on the instruction.
  2. 2 . The method of claim 1 , comprising: translating the computer-readable rule into another instruction compatible with another data environment of the plurality of data environments, wherein the instruction uses a second identity corresponding to the other data environment to indicate the user; and providing the other instruction to the other data environment, wherein the other data environment implements the high-level rule within the other data environment based on the instruction.
  3. 3 . The method of claim 2 , comprising: determining the data environment and the other data environment both include data sources that are subject to the high-level rule.
  4. 4 . The method of claim 2 , wherein the instruction comprises an authorization statement compatible with the data environment and the other instruction comprises another authorization statement compatible with the other data environment, and wherein the authorization statement is different than the other authorization statement.
  5. 5 . The method of claim 1 , wherein the instruction comprises a Create, Read, Update, and Delete (CRUD) statement.
  6. 6 . The method of claim 1 , wherein the identity indicates the user differently than the user is indicated in the high-level rule.
  7. 7 . The method of claim 1 , wherein validating the high-level rule comprises: when the policy includes at least one deficiency such that the policy cannot be implemented in the plurality of data environments, notifying the user that the high-level rule is invalid; and after notifying the user, receiving updates to the high-level rule that remedy the deficiency.
  8. 8 . The method of claim 1 , wherein the interpreting comprises: creating a JavaScript Object Notation (JSON) document that encodes the high-level rule.
  9. 9 . The method of claim 1 , comprising: in response to identifying a change in the data environment, generating a new instruction based on the computer-readable rule that accounts for the change; and providing the new instruction to the data environment, wherein the data environment implements the high-level rule within the data environment based on the new instruction.
  10. 10 . An apparatus comprising: one or more computer readable storage media; a processing system operatively coupled with the one or more computer readable storage media; and program instructions stored on the one or more computer readable storage media that, when read and executed by the processing system, direct the apparatus to: receive a high-level rule in natural language from a user for enforcement across a plurality of data environments, wherein the high-level rule identifies a user; interpret the high-level rule into a computer-readable rule using a natural language processing algorithm to determine an intent behind words in the natural language, wherein interpreting the high-level rule includes validating that the high-level rule includes sufficient information such that a policy intended by the high-level rule can be implemented within the plurality of data environments; query a plurality of identity environments for identities of the user corresponding to different ones of the plurality of data environments, wherein at least one of the identities is different from another of the identities; select an identity of the identities that corresponds to a data environment of the plurality of data environments; translate the computer-readable rule into an instruction compatible with the data environment, wherein the instruction uses the identity to indicate the user; and provide the instruction to the data environment, wherein the data environment implements the high-level rule within the data environment based on the instruction.
  11. 11 . The apparatus of claim 10 , wherein the program instructions direct the apparatus to: translate the computer-readable rule into another instruction compatible with another data environment of the plurality of data environments; and provide the other instruction to the other data environment, wherein the other data environment implements the high-level rule within the other data environment based on the other instruction.
  12. 12 . The apparatus of claim 11 , wherein the program instructions direct the apparatus to: determine the data environment and the other data environment both include data sources that are subject to the high-level rule.
  13. 13 . The apparatus of claim 11 , wherein the instruction comprises an authorization statement compatible with the data environment and the other instruction comprises another authorization statement compatible with the other data environment, and wherein the authorization statement is different than the other authorization statement.
  14. 14 . The apparatus of claim 10 , wherein the instruction comprises a Create, Read, Update, and Delete (CRUD) statement.
  15. 15 . The apparatus of claim 10 , wherein the identity indicates the user differently than the user is indicated in the high-level rule.
  16. 16 . The apparatus of claim 10 , wherein to validate the high-level rule, the program instructions direct the apparatus to: when the policy includes at least one deficiency such that the policy cannot be implemented in the plurality of data environments, notify the user that the high-level rule is invalid; and after the user is notified, receive updates to the high-level rule that remedy the deficiency.
  17. 17 . The apparatus of claim 10 , wherein to interpret the high-level rule, the program instructions direct the apparatus to: create a JavaScript Object Notation (JSON) document that encodes the high-level rule.
  18. 18 . The apparatus of claim 10 , wherein the program instructions direct the apparatus to: in response to identifying a change in the data environment, generate a new instruction based on the computer-readable rule that accounts for the change; and provide the new instruction to the data environment, wherein the data environment implements the high-level rule within the data environment based on the new instruction.
  19. 19 . One or more computer readable storage media having program instructions stored thereon that, when read and executed by a processing system, direct the processing system to: receive a high-level rule in natural language from a user for enforcement across a plurality of data environments, wherein the high-level rule identifies a user; interpret the high-level rule into a computer-readable rule using a natural language processing algorithm to determine an intent behind words in the natural language, wherein interpreting the high-level rule includes validating that the high-level rule includes sufficient information such that a policy intended by the high-level rule can be implemented within the plurality of data environments; query a plurality of identity environments for identities of the user corresponding to different ones of the plurality of data environments, wherein at least one of the identities is different from another of the identities; select an identity of the identities that corresponds to a data environment of the plurality of data environments; translate the computer-readable rule into an instruction compatible with the data environment, wherein the instruction uses the identity to indicate the user; and provide the instruction to the data environment, wherein the data environment implements the high-level rule within the data environment based on the instruction.
  20. 20 . The one or more computer readable storage media of claim 19 , wherein the program instructions direct the processing system to: translate the computer-readable rule into another instruction compatible with another data environment of the plurality of data environments; and provide the other instruction to the other data environment, wherein the other data environment implements the high-level rule within the other data environment based on the other instruction.

Description

RELATED APPLICATIONS This application is related to and claims priority to U.S. Provisional Patent Application 63/183,989, titled “ENFORCEMENT OF AUTHORIZATION RULES ACROSS MULTIPLE SYSTEMS,” filed May 4, 2021, and which is hereby incorporated by reference in its entirety. BACKGROUND Modern enterprises use numerous data environments to store, manage, and/or process data and those environments may be managed by different systems, applications, and/or platforms from different providers and each may use its own data repository (e.g., database). For instance, different departments may employ different database systems depending on the features offered by the respective system (e.g., accounting may use a first database system while human resources uses a second). In some cases, a single department may itself use multiple platforms for data repositories depending on the capabilities of each platform even if the platforms manage similar data sets. For example, human resources may use one platform to onboard and terminate employees from the enterprise while another platform is used to handle employees' compensation and benefits. The repositories may be hosted local to the enterprise (i.e., at one or more of the enterprise's own facilities) or may be cloud based and hosted by third parties. Likewise, the cardinality of the data environments and the data therein can be very high (on the order of thousands of individual elements, such as data tables, to which a user can potentially access), which makes it very difficult (if not impossible) for a human administrator to track which data can be accessed by which users. Moreover, should the human administrator want to modify permissions for one or more users, the administrator would need to ensure all relevant permissions are changed across all data environments. SUMMARY The technology disclosed herein enables enforcement of high-level rules defined by a user across multiple data environments. In a particular embodiment, a method includes receiving a high-level rule from a user for enforcement across a plurality of data environments and interpreting the high-level rule into a computer-readable rule. The method further includes translating the computer-readable rule into an instruction compatible with a data environment of the plurality of data environments. The method also includes providing the instruction to the data environment, wherein the data environment implements the high-level rule within the data environment based on the instruction. In some examples, the method includes translating the computer-readable rule into another instruction compatible with another data environment of the plurality of data environments and providing the other instruction to the other data environment, wherein the other data environment implements the high-level rule within the other data environment based on the instruction. In those examples, the method may include determining the data environment and the other data environment both include data sources that are subject to the high-level rule. Also, in those examples, the instruction may include an authorization statement compatible with the data environment and the other instruction may include another authorization statement compatible with the other data environment. The authorization statement is different than the other authorization statement. In some examples, the instruction includes a Create, Read, Update, and Delete (CRUD) statement. In some examples, the method includes identifying a user indicated in the high-level rule and determining an identity of the user corresponding to the data environment, wherein the identity is included in the instruction. In some examples, determining that the high-level rule is a valid request. In some examples, the interpreting includes creating a JavaScript Object Notation (JSON) document that encodes the high-level rule. In some examples, in response to identifying a change in the data environment, the method includes generating a new instruction based on the computer-readable rule that accounts for the change and providing the new instruction to the data environment, wherein the data environment implements the high-level rule within the data environment based on the new instruction. In another example, an apparatus is provided having one or more computer readable storage media and a processing system operatively coupled with the one or more computer readable storage media. Program instructions stored on the one or more computer readable storage media that, when read and executed by the processing system, direct the apparatus to receive a high-level rule from a user for enforcement across a plurality of data environments and interpret the high-level rule into a computer-readable rule. The program instructions further direct the apparatus to translate the computer-readable rule into an instruction compatible with a data environment of the plurality of data environments. The program instruction