US 12,105,828 B2
Grant inheritance in RBAC
Vikas Jain, Fremont, CA (US); Eric Karlson, Alameda, CA (US); and Sepideh Khoshnood, Issaquah, WA (US)
Assigned to Snowflake Inc., Bozeman, MT (US)
Filed by Snowflake Inc., Bozeman, MT (US)
Filed on Jul. 28, 2023, as Appl. No. 18/227,818.
Claims priority of provisional application 63/427,723, filed on Nov. 23, 2022.
Prior Publication US 2024/0169086 A1, May 23, 2024
Int. Cl. G06F 21/60 (2013.01); G06F 21/62 (2013.01); H04L 9/40 (2022.01)
CPC G06F 21/6227 (2013.01) [G06F 21/604 (2013.01); G06F 21/6218 (2013.01); H04L 63/10 (2013.01); H04L 63/102 (2013.01); H04L 63/105 (2013.01); H04L 63/101 (2013.01); H04L 63/104 (2013.01); H04L 63/107 (2013.01)] 21 Claims
OG exemplary drawing
 
1. A method comprising:
generating an inherited grant that specifies a permission on a first type of object in a container and a grant of the permission to a role;
attaching the inherited grant to the container, wherein the container includes a set of objects of the first type;
in response to a first object of the set of objects being referenced via the role, creating, by a processing device, a virtual implied grant based on the inherited grant;
authorizing utilization of the permission on the first object using the virtual implied grant, wherein the virtual implied grant is transient and exists in-memory only for the purpose of authorizing the utilization of the permission on the first object;
defining an access group within the container and attaching the inherited grant to the access group; and
adding one or more of the set of objects to the access group, wherein:
authorizing utilization of the permission on any of the one or more objects is performed using a grant that is materialized in response to any of the one or more objects being referenced; and
authorizing utilization of the permission on any of the set of objects not added to the access group is performed using a corresponding virtual implied grant that is created based on the inherited grant.
 
8. A system comprising:
a memory; and
a processing device operatively coupled to the memory, the processing device to:
generate an inherited grant that specifies a permission on a first type of object in a container and a grant of the permission to a role;
attach the inherited grant to the container, wherein the container includes a set of objects of the first type;
in response to a first object of the set of objects being referenced via the role, create a virtual implied grant based on the inherited grant;
authorize utilization of the permission on the first object using the virtual implied grant, wherein the virtual implied grant is transient and exists in-memory only for the purpose of authorizing the utilization of the permission on the first object;
define an access group within the container and attaching the inherited grant to the access group; and
add one or more of the set of objects to the access group, wherein:
the processing device authorizes utilization of the permission on any of the one or more objects using a grant that is materialized in response to any of the one or more objects being referenced; and
the processing device authorizes utilization of the permission on any of the set of objects not added to the access group using a corresponding virtual implied grant that is created based on the inherited grant.
 
15. A non-transitory computer-readable medium having instructions stored thereon which, when executed by a processing device, cause the processing device to:
generate an inherited grant that specifies a permission on a first type of object in a container and a grant of the permission to a role;
attach the inherited grant to the container, wherein the container includes a set of objects of the first type;
in response to a first object of the set of objects being referenced via the role, create, by the processing device, a virtual implied grant based on the inherited grant;
authorize utilization of the permission on the first object using the virtual implied grant, wherein the virtual implied grant is transient and exists in-memory only for the purpose of authorizing the utilization of the permission on the first object;
define an access group within the container and attaching the inherited grant to the access group; and
add one or more of the set of objects to the access group, wherein:
the processing device authorizes utilization of the permission on any of the one or more objects using a grant that is materialized in response to any of the one or more objects being referenced; and
the processing device authorizes utilization of the permission on any of the set of objects not added to the access group using a corresponding virtual implied grant that is created based on the inherited grant.