| CPC G06F 21/6254 (2013.01) [G06F 9/50 (2013.01); G06F 9/54 (2013.01); G06F 21/6218 (2013.01); G06F 21/6227 (2013.01); H04L 43/04 (2013.01); G06F 3/0481 (2013.01); G06F 16/248 (2019.01); G06F 17/175 (2013.01); G06Q 30/0201 (2013.01)] | 14 Claims |
|
1. A method, implemented in a computing environment comprising at least one hardware processor and at least one memory coupled to the at least one hardware processor, the method comprising:
receiving, through a multi-tenant software application servicing a plurality of tenants, non-anonymized first tenant profile data for a first tenant of the multi-tenant software application, wherein the first tenant has access to all non-anonymized first tenant profile data;
storing the non-anonymized first tenant profile data in at least a portion of a first database system for the first tenant, at least a portion of the non-anonymized first tenant profile data being stored as instances of a first entity type comprising a plurality of attributes, at least a first attribute of the plurality of attributes for the first entity type being designated for anonymization but not being anonymized in the non-anonymized first tenant profile data, the non-anonymized first tenant profile data comprising a first profile represented as a first instance of the first entity type and comprising a first value of the at least a first attribute and a second profile represented as a second instance of the first entity type and comprising a second value of the at least a first attribute, the second value being different than the first value;
receiving non-anonymized second tenant profile data for a second tenant of the multi-tenant software application, the second tenant being different than the first tenant, wherein the second tenant has access to all non-anonymized second tenant profile data;
storing the non-anonymized second tenant profile data in at least a portion of a second database system for the second tenant, at least a portion of the non-anonymized second tenant profile data being stored as instances of a second entity type comprising a plurality of attributes, at least a second attribute of the plurality of attributes for the second entity type being designated for anonymization, wherein the at least a second attribute designated for anonymization is the at least a first attribute of the first entity type or is an attribute other than the at least a first attribute, wherein at least a portion of attributes of the first entity type correspond to at least a portion of attributes of the second entity type, the non-anonymized second tenant profile data comprising a first profile represented as a first instance of the second entity type and comprising a first value of at least a second attribute and a second profile represented as a second instance of the second entity type and comprising a second value of the at least a second attribute, the second value being different than the first value, wherein the second database system is the first database system or is a database system different than the first database system, and wherein the non-anonymized first tenant profile data and the non-anonymized second tenant profile data are separated such that the first tenant cannot access the non-anonymized second tenant profile data and the second tenant cannot access the non-anonymized first tenant profile data;
sending a first sharing indicator for the first tenant to a third database system;
when the first sharing indicator indicates data sharing, anonymizing at least a portion of the non-anonymized first tenant profile data by removing values of the at least a first attribute to provide anonymized first tenant profile data;
storing the anonymized first tenant profile data in at least a portion of the third database system defined to store profile data for the first tenant and the second tenant, where the third database system is the first database system, the second database system, or is a database system other than the first database system or the second database system;
sending a second sharing indicator for the second tenant to the third database system;
when the second sharing indicator indicates data sharing, anonymizing at least a portion of the non-anonymized second tenant profile data to provide anonymized second tenant profile data;
storing the anonymized second tenant profile data in the third database system, wherein the anonymized first tenant profile data and the anonymized second tenant profile data are collectively made available for analysis requests; and
subsequent to storing the anonymized first tenant profile data and storing the anonymized second tenant profile data:
receiving an analysis request from the first tenant;
in response to the analysis request and the second sharing indicator, generating a first result, wherein (1) when the second sharing indicator indicates no data sharing, the first result is generated based at least in part on aggregating anonymized first tenant profile data to provide first aggregated, anonymized tenant profile data and analyzing the first aggregated, anonymized tenant profile data to generate the first result based at least in part on one or more profiles of anonymized tenant profile data for the first tenant and not the tenant profile data of the second tenant and; (2) when the second sharing indicator indicates data sharing, the first result is generated based at least in part on aggregating anonymized first tenant profile data and anonymized second tenant profile data to provide second aggregated, anonymized tenant profile data and analyzing the second aggregated, anonymized tenant profile data to generate the first result based at least in part on the second aggregated, anonymized tenant profile data; and
sending the first result to the first tenant in response to the analysis request.
|