Abstract: Disclosed is an execution information sharing system that duplicates execution information to a provider target (and other targets) as it is being loaded to a consumer target. A consumer account of a data sharing platform executes an application shared with it by a provider account of the platform. Consumer and provider configurations indicating consumer and provider targets respectively are generated. The consumer configuration and provider configurations are provided to an event context to generate a first and second event unloaders respectively, wherein the event context maintains a mapping linking both the first event unloader and the second event unloader to the application. In response to receiving execution information from the application, the first event unloader and the second event unloader are retrieved. The execution information is then written to the consumer target and the provider target using the first event unloader and the second event unloader respectively.

Abstract: A consumer account may invoke an operation referencing a set of shared objects stored within a database of a provider account using an imported database that makes the set of shared objects available within the consumer account. A call context of the operation may be updated to cache the imported database, which references a share created from the provider account database, the share having grants to the set of shared objects. One or more database level objects may be discovered in a context of the share and each role granted to the share may be obtained based on the one or more database level objects. Whether any role granted to the share has access to any of the set of shared objects may be determined and the operation may be executed for each of the set of shared objects to which any role granted to the share has access.

Abstract: Methodologies for upgrading and patching an in-database application package and its application instances. A data platform determines a number of objects of an application instance running on the data platform at a previous version level of an application package of the application instance. In response to determining the number of objects of the application package running on the data platform at the previous version level of the application package is one or more, the data platform continues determining the number of objects running on the data platform at a previous version level of the application package. In response to determining the number of objects of the application instance running on the data platform at the previous version level of the application package is none, the data platform upgrades the application instance to the new version of the application package.

Abstract: Techniques for creating, sharing, and using bundles (also referred to as packages) in a multi-tenant database are described herein. A bundle is a schema object with associated hidden schemas. A bundle can be created by a provider user and can be shared with a plurality of consumer users. The bundle can be used to enable code sharing and distribution without losing control while maintaining security protocols.

Abstract: A data platform for developing and deploying a data application. The data platform receives from a first user the data application and provider granted privileges including a consumer usage privilege and a consumer access to data privilege. The data platform authorizes the second user to access the data platform based on one or more consumer account privileges included in a set of account privileges. The data platform authorizes the second user to execute the data application based on the consumer usage privilege. During execution, the data platform authorizes the data application to access the provider database object based on the consumer access to data privilege, and authorizes the data application to access the consumer database object based on a provider access to data privilege provided by the second user.

Abstract: A versioned schema of a data platform. A process of maintaining a call stack of executing objects of an application package having a versioned schema includes calling, by a first procedure executed by one or more processors, a second procedure of a versioned application instance, and determining, by the first procedure, a version of the second procedure based on a call context. In response to determining that the version of the second procedure is not in the call context, the first procedure determines a current version of the versioned application package adds the current version to the call context as the version of the second procedure.

Abstract: A data platform for managing an application as a first-class database object. The data platform includes at least one processor and a memory storing instructions that cause the at least one processor to perform operations including detecting a data request from a browser for a data object located on the data platform, executing a stored procedure, the stored procedure containing instructions that cause the at least one processor to perform additional operations including instantiating a User Defined Function (UDF) server, an application engine, and the application within a security context of the data platform based on a security policy determined by an owner of the data object. The data platform then communicates with the browser using the application engine as a proxy server.

Abstract: Techniques for creating, sharing, and using bundles (also referred to as packages) in a multi-tenant database are described herein. A bundle is a schema object with associated hidden schemas. A bundle can be created by a provider user and can be shared with a plurality of consumer users. The bundle can be used to enable code sharing and distribution without losing control while maintaining security protocols.

Abstract: Embodiments of the present disclosure relate to sharing database roles using hidden roles. A database role may be generated within a database container having a plurality of data objects, wherein the database role exists exclusively within the database container. A set of grants to a particular subset of the plurality of data objects of the database container may be assigned to the database role and the database role may be granted to the share object. The share object is mounted within a consumer account to generate an imported database container within the consumer account, the imported database container including an imported copy of the database role. The imported copy of the database role may be granted to each of one or more account level roles of the consumer account to share the particular subset of the plurality of data objects without creating proxy objects in the consumer account that represent the particular subset of the plurality of data objects.

Abstract: A request to replicate a first account maintained by a data platform is received. Based on the request, account data associated with the account is accessed. The account data comprises security configurations for the first account. In response to the request, the first account is replicated using the account data. A second account results from replicating the first account. The replicating of the first account comprises automatically replicating the security configurations for the first account to the second account. The replicating of the security configurations comprises replicating an identity management configuration of the first account; replicating an authorization configuration of the first account; and replicating an authentication configuration of the first account.

Abstract: Embodiments of the present disclosure enable users of a data sharing system to build native applications that can be shared with other users of the data sharing system. The native applications can be published and discovered in the data sharing system like any other data listing, and consumers can install them in their local data sharing system account to serve their data processing needs. A provider may define an installation script for installing an application and create a share object to which the installation script may be attached. In response to an imported database being created in a consumer account based on the share object, a native application framework may automatically execute the installation script in the consumer account and may create a set of database roles to manage execution of the application in the consumer account.

Abstract: Embodiments of the present disclosure may provide a streamlined process for performing operations, such as data sharing and data replication, using multiple accounts. A global identity (also referred to as an organization user) may be employed, where the global identity may have access to multiple accounts across the same or different deployments. The global identity may switch between accounts from its login session and perform various tasks in the context of different accounts without undergoing further authentication.

Abstract: A consumer account may invoke an operation referencing a set of shared objects stored within a database of a provider account using an imported database that makes the set of shared objects available within the consumer account. A call context of the operation may be updated to cache the imported database, which references a share created from the provider account database, the share having grants to the set of shared objects. One or more database level objects may be discovered in a context of the share and each role granted to the share may be obtained based on the one or more database level objects. Whether any role granted to the share has access to any of the set of shared objects may be determined and the operation may be executed for each of the set of shared objects to which any role granted to the share has access.

Abstract: Techniques described herein can allow users to share cached results of an original query with other users while protecting sensitive information. The techniques described herein can check whether the other users have access to the underlying data queried before allowing those users to see the stored query results. That is, the system may perform privilege checks on the shared users before giving them access to the stored query results but without having to re-run the original query.

Abstract: A request to replicate a first account maintained by a data platform is received. Based on the request, account data associated with the account is accessed. The account data comprises security configurations for the first account. In response to the request, the first account is replicated using the account data. A second account results from replicating the first account. The replicating of the first account comprises automatically replicating the security configurations for the first account to the second account. The replicating of the security configurations comprises replicating an identity management configuration of the first account; replicating an authorization configuration of the first account; and replicating an authentication configuration of the first account.

Abstract: A shared database platform implements dynamic masking on data shared between users where specific data is masked, transformed, or otherwise modified based on preconfigured functions that are associated with user roles. The shared database platform can implement the masking at runtime dynamically in response to users requesting access to a database object that is associated with one or more masking policies.

Abstract: Embodiments of the present disclosure relate to sharing database roles using hidden roles. A database role may be generated within a database container having a plurality of data objects, wherein the database role exists exclusively within the database container. A set of grants to a particular subset of the plurality of data objects of the database container may be assigned to the database role. For each of a set of share objects to which the database role is to be granted: a hidden role having no identifier may be created, the database role may be granted to the hidden role, and the hidden role may be granted to a share object. Each of the set of share objects are mounted within a consumer account to generate a set of imported database containers within the consumer account, wherein each imported database container includes an individualized grant of the database roles.

Abstract: A database platform authenticates a system user for access via an application to a database that is associated with a customer account of the database platform. The system user is a first object in a first account-level namespace of the customer account, and the first account-level namespace is distinct from a default account-level namespace of the customer account. The database platform sends, as the system user, a query to the database via the application. The database platform receives, as the system user, results of the query from the database, and stores, as the system user, the results of the query in a first-namespace stage, which is a second object in the first account-level namespace.

Abstract: Embodiments of the present disclosure enable users of a data sharing system to build native applications that can be shared with other users of the data sharing system. The native applications can be published and discovered in the data sharing system like any other data listing, and consumers can install them in their local data sharing system account to serve their data processing needs. A provider may define an installation script for installing an application and create a share object to which the installation script may be attached. In response to an imported database being created in a consumer account based on the share object, a native application framework may automatically execute the installation script in the consumer account and may create a set of database roles to manage execution of the application in the consumer account.

Abstract: Embodiments of the present disclosure relate to sharing database roles using hidden roles. A database role may be generated within a database container having a plurality of data objects, wherein the database role exists exclusively within the database container. A set of grants to a particular subset of the plurality of data objects of the database container may be assigned to the database role. For each of a set of share objects to which the database role is to be granted: a hidden role having no identifier may be created, the database role may be granted to the hidden role, and the hidden role may be granted to a share object. Each of the set of share objects are mounted within a consumer account to generate a set of imported database containers within the consumer account, wherein each imported database container includes an individualized grant of the database roles.