CPC G06F 21/6227 (2013.01) [G06F 16/2282 (2019.01); G06F 21/604 (2013.01); G06F 21/62 (2013.01); G06F 21/6218 (2013.01); G06F 2221/2141 (2013.01)] | 21 Claims |
1. A method comprising:
receiving, from a user associated with a consumer account, a query relating to a table stored by a provider account in at least one data storage element in a multi-tenant database system and shared by the provider account with an attached provider row level security policy, the provider row level security policy being independent of the table, including a Boolean-valued expression, and restricting at least one row from being accessible by the consumer account, wherein a consumer row level security is also attached to the table;
creating, by a compute service manager, a plan to execute the query, the plan including a set of operators;
determining a role of the user in the consumer account;
modifying, by the compute service manager, the plan based on the provider row level security policy and consumer row level security policy corresponding to the determined role, the modified plan includes arranging a first operator over a second operator to not reveal information restricted by the provider row level security policy;
assigning, by the compute service manager, a plurality of tasks to one or more execution nodes to execute the modified plan; and
generating a result for the query based on execution of the assigned plurality of tasks.
|