Abstract: The technology disclosed herein enables enforcement of high-level rules defined by a user across multiple data environments. In a particular embodiment, a method includes receiving a high-level rule from a user for enforcement across a plurality of data environments and interpreting the high-level rule into a computer-readable rule. The method further includes translating the computer-readable rule into an instruction compatible with a data environment of the plurality of data environments. The method also includes providing the instruction to the data environment, wherein the data environment implements the high-level rule within the data environment based on the instruction.
Abstract: The technology disclosed herein accelerates traversal of a privilege graph indicating access permissions to resources of data environments. In a particular example, a method provides identifying a first node type of a start node of a plurality of nodes in a privilege graph and a second node type of an end node of the plurality of nodes. The privilege graph indicates access privileges for a plurality of users to features of a plurality of data environments. The method also provides identifying one or more possible paths between the first node type and the second node type based on a schema of the privilege graph and traversing the plurality of nodes from the start node to the end node while ignoring paths that are not included in the one or more possible paths.
Type:
Grant
Filed:
September 18, 2023
Date of Patent:
December 23, 2025
Assignee:
Veza Technologies, Inc.
Inventors:
Tarun Thakur, Maohua Lu, Robert Whitcher
Abstract: The technology disclosed herein enables representation of data access authorizations using a privilege graph. In a particular embodiment, a method includes identifying first attributes of a first user. The method further includes traversing nodes of a privilege graph using the first attributes to determine subsequent nodes until one or more nodes representing a first subset of environments of a plurality of data environments is reached. The method also includes authorizing the first user to access the first subset.
Abstract: The technology disclosed herein enables pushing of access-privilege information from data environments to a graphing service. In a particular embodiment, a method includes registering a data environment to enable the data environment to use Application Programming Interface (API) calls and receiving an API call transmitted from the data environment. The API call provides information about access permissions for the data environment. The method further includes incorporating the information into a privilege graph representing data access authorizations.
Abstract: The technology disclosed herein enables generation of effective permissions between principals and resources from access policies. In a particular embodiment, a method includes, in an effective permissions service, retrieving one or more access policies that define access permissions between a principal and a resource of the plurality of resources. The method also includes determining an effective permission defining the access of the principal to the resource based on the access policies and defining the effective permission in a canonical format. The method further includes storing the effective permission for reference when the principal attempts to access the resource.