Abstract: Row-level security (RLS) may provide fine-grained access control based on flexible, user-defined access policies to databases, tables, objects, and other data structures. A RLS policy may be an entity or object that defines rules for row access. A RLS policy may be decoupled or independent from any specific table. This allows more robust and flexible control. A RLS policy may then be attached to one or more tables. The RLS policy may include a Boolean-valued expression.

Abstract: Disclosed herein are embodiments of systems and methods for synchronizing file-catalog table with a file stage. In an embodiment, a data platform receives a notification of a modification to one or more files in a file stage. The file stage includes data storage having a storage location. The data platform updates, based on receiving the notification of the modification, a first file-catalog table for the file stage based on the modification. The first file-catalog table includes a row for each file in the file stage, as well as a column for each of one or more metadata properties of the one or more files in the file stage.

Abstract: Disclosed herein are systems and methods for query processing with restrictions in a database clean room. In an embodiment, a system receives a query directed to a combination of a first source dataset from a first database account of a distributed database and a second source dataset from a second database account of the distributed database. The system generates an approved statements table that contains database statement language that can be executed against the combination of the first and second source datasets. Based on determining that the approved statements table includes the query, the system executes the query to produce results data, and stores the results data in the first database account.

Abstract: The subject technology receives a query, the query including a query range for processing the query and a set of requested columns. The subject technology based on the query range, determining a set of blob files and a set of delete vectors. The subject technology for each blob file, storing each row, including the set of request columns, into an array of rowsets. The subject technology for each rowset, generating a delete bitset to at least indicate whether each row has been deleted. The subject technology for each delta file, indicate a previous row of a visible row of the delta file as being deleted based on a delete pointer of the visible row. The subject technology providing a set of rowsets, including a corresponding selection column set, as a result of the query.

Abstract: Various embodiments provide for replicating a share across deployments of a data platform, where the share can be on a source deployment and the share can be replicated on one or more target deployments, and where the share is replicated with one or more database objects of the source deployment associated with the share. Some embodiments analyze the share to be replicated and, based on the analysis, determine one or more database objects that would be replicated to the one or more target deployments to enable a replica of the share on the one or more target deployments.

Abstract: A data dictionary generation system automatically populates and updates a data dictionary for listings offering shared data. The data listing distribution component distributes the data dictionaries to various remote deployments in a data exchange by using a global messaging framework and replication method. For example, the data listing distribution component replicates a data dictionary generated for the listing and its shared data from a source deployment to one or more destination deployments associated with various geographic regions. The data listing distribution component distributes the listing to the various remote deployments to allow for the listing, including its shared data and data dictionary, to be accessed by users within the geographic region associated with the remote deployment.

Abstract: Sharing data in a data exchange across multiple cloud computing platforms is described. An example method can include copying, to a first cloud computing entity using a consumer account of the first cloud computing entity, a first subset of a data set associated with a provider account of a second cloud computing entity, wherein the provider account of the second cloud computing entity does not have access to the first cloud computing entity, and then copying, to a third cloud computing entity using a consumer account of the third cloud computing entity, a second subset of the data set, wherein the provider account of the third cloud computing entity does not have access to the first cloud computing entity, for which the first subset of the data set is different from the second subset of the data set.

Abstract: Techniques are described for budget tracking in a differentially private security system. A request to perform a query of a private database system is received by a privacy device from a client device. The request is associated with a level of differential privacy. A privacy budget corresponding to the received request is accessed by the privacy device. The privacy budget includes a cumulative privacy spend and a maximum privacy spend, the cumulative privacy spend representative of previous queries of the private database system. A privacy spend associated with the received request is determined by the privacy device based at least in part on the level of differential privacy associated with the received request. If a sum of the determined privacy spend and the cumulative privacy spend is less than the maximum privacy spend, the query is performed. Otherwise a security action is performed based on a security policy.

Abstract: A system for improving task scheduling on a cloud data platform is provided. A task to be executed using resources of a computing cluster is received. A task execution plan is generated and information about data to be used for the ask is accessed. Resource requirements for executing the task are predicted by applying machine learning to the task execution plan and the information about the data. Assignment data is generated to execute the task on the resources by applying machine learning information about a current state of the resources and predicted resource requirements.

Abstract: A system or persistent table may be generated storing changelog information of a primary base table. The system table may then be used to create streams of relevant information. In some examples, the streams may read from the system table for information past a retention period of the primary table while reading from the primary table information in the retention period.

Abstract: Embodiments of the present disclosure provide systems and methods for using secure schemas to address inconsistencies between standard RBAC rules and the use of inherited grants. A secure schema may be defined that transfers ownership of an object created in the secure schema to a role that owns the secure schema. An inherited grant may be attached to the secure schema, where the inherited grant specifies a permission on a first type of object in the secure schema and a grant of the permission to the role that owns the secure schema. When objects are created in the secure schema, ownership of each of the set of objects is transferred to the role that owns the secure schema to authorize the role that owns the secure schema to manage grants to the set of objects on the secure schema.

Abstract: Techniques for configuring query result information include decoding a query received from a client device of a network-based database system. A multi-stage execution of the query is configured to obtain a plurality of query result subsets. A combined query result is generated using the plurality of query result subsets. The combined query result further includes storage location information for each of the plurality of query result subsets. The combined query result is encoded for transmission to the client device in response to the query.

Abstract: A method includes decoding, by at least one hardware processor, a request for a user-defined function (UDF). The request includes a reference to one or more files. The method further includes generating, by the at least one hardware processor, the UDF based on the request. The UDF includes a file reference object with file path information corresponding to the reference. The file path information identifies a file path to the one or more files. A UDF call into the UDF is detected. The UDF call specifies the file path information. The UDF call is processed to generate result data using the one or more files.

Abstract: Embodiments of the present disclosure may provide a streamlined process for performing operations, such as data sharing and data replication, using multiple accounts. A global identity (also referred to as an organization user) may be employed, where the global identity may have access to multiple accounts across the same or different deployments. The global identity may switch between accounts from its login session and perform various tasks in the context of different accounts without undergoing further authentication.

Abstract: Replication and failover of database data is disclosed. A method includes replicating database data stored in a primary deployment such that the database data is further stored in a secondary deployment. The method includes executing one or more updates to the database data at the secondary deployment when the primary deployment is unavailable and propagating the one or more updates to the primary deployment when the primary deployment becomes available again. The method includes executing queries on the database data at the primary deployment when the primary deployment is available.

Abstract: A differentially private security system communicatively coupled to a database storing restricted data receives a database query from a client. The database query includes an operation, a target accuracy, and a maximum privacy spend for the query. The system performs the operation to produce a result, then injects the result with noise sampled from a Laplace distribution to produce a differentially private result. The system iteratively calibrates the noise value of the differentially private result using a secondary distribution different from the Laplace distribution and a new fractional privacy spend. The system ceases to iterate when an iteration uses the maximum privacy spend or a relative error of the differentially private result is determined to satisfy the target accuracy, or both. The system sends the differentially private result to the client.

Abstract: Embodiments of the present disclosure may provide dynamic and fair assignment techniques for allocating resources on a demand basis. Assignment control may be separated into at least two components: a local component and a global component. Each component may have an active dialog with each other; the dialog may include two aspects: 1) a demand for computing resources, and 2) a total allowed number of computing resources. The global component may allocate resources from a pool of resources to different local components, and the local components in turn may assign their allocated resources to local competing requests. The allocation may also be throttled or limited at various levels.

Abstract: Embodiments of the present disclosure provide systems and methods for using inherited grants to grant privileges to objects in a container. An inherited grant may be generated that specifies a permission on a first type of object in a container and a grant of the permission to a role. The inherited grant may be attached to the container, wherein the container includes a set of objects of the first type. In response to a first object of the set of objects being referenced via the role, a virtual implied grant may be created based on the inherited grant. Authorization of utilization of the permission on the first object is performed using the virtual implied grant, wherein the virtual implied grant is transient and exists in-memory only for the purpose of authorizing the utilization of the permission on the first object.

Abstract: Systems and methods for managing column hiding are provided. The systems and methods receive, from a client device, a query associated with a table. The systems and methods determine an access restriction associated with the client device. The systems and methods identify a column of the table that is restricted by the access restriction associated with the client device. In response to identifying the column of the table that is restricted by the access restriction associated with the client device, the systems and methods provide a result of the query that excludes data corresponding to the column.

Abstract: Different database deployments, or other data system deployments, may want to communicate with each other without sacrificing security or control. To this end, embodiments of the present disclosure may provide secure message exchange techniques for a source and/or target deployment. Configurable rule sets may be stored in the deployments; the rule sets may define what messages may be communicated between deployments. The deployments may implement a selective filtering scheme in one or more stages based on the rule sets to filter outgoing and/or incoming messages.