Abstract: Embodiments are directed to securing data in the cloud, securely encrypting data that is to be stored in the cloud and to securely decrypting data accessed from the cloud. In one scenario, an instantiated trust service receives information indicating that a trust server is to be instantiated. The trust service instantiates the trust server, which is configured to store key references and encrypted keys. The trust service receives the public key portion of a digital certificate for each publisher and subscriber that is to have access to various specified portions of encrypted data. A data access policy is then defined that specifies which encrypted data portions can be accessed by which subscribers.

Abstract: Embodiments include method, systems, and computer program products for filtering trust services records. Embodiments include receiving a trust services record that includes a plurality of security components and that is usable to secure data that is stored in an untrusted location. It is determined whether the trust services record has been tampered with, including verifying each of the plurality of security components of the trust services record. The trust services record is filtered based on the determination of whether the trust services record has been tampered with. The filtering includes, when the trust services record is determined to have not been tampered with, allowing performance of at least one task with respect to the secured data; and, when the trust services record is determined to have been tampered with, disallowing performance of any task with respect to the secured data.

Abstract: Embodiments are directed to mapping encryption policies to data stored in a database using a policy identifier, and to accessing data stored in a database using a policy identifier. In one scenario, a computer system receives an indication that identifies which type of encryption is to be applied when encrypting a specified portion of data stored in a database. The database has a database schema identified by a database schema identifier, where the database schema defines relationships for data stored in the database. The computer system then accesses a namespace that identifies a set of databases in which the specified portion of data is accessed in the same manner. The computer system also generates a policy identifier, which contains information including the namespace and the database schema identifier.

Abstract: A mechanism to visualize data to a user in a sufficient manner. The user selects a visualization type to visualize a selected subset of a data model. To fit the data well into a visualization of that visualization type, the system then evaluates the user selections of the visualization type of the subset of data against the rule set. Based on the evaluation, the system determines that the subset of data overpopulates the visualization type. In some embodiments, the system further identifies one or more filters to apply to the subset of data which would decrease the population of data within the virtualization type. Then, a visualization of the selected visualization type is to be displayed using at least one of the one or more identified filter.

Abstract: A mechanism to visualize data to a user in a sufficient manner. The user selects a visualization type to visualize a selected subset of a data model. To fit the data well into a visualization of that visualization type, the system then evaluates the user selections of the visualization type of the subset of data against the rule set. Based on the evaluation, the system determines that the subset of data does not populate or insufficiently populates the visualization type. In some embodiments, the system further recommends additional data to supplement the selected subset of data to more sufficiently utilize the visualization to display the subset of data in conjunction with the supplemented data. The system may further display the visualization based on the selected subset of the data model perhaps before and/or after supplemented with the supplemented data.

Abstract: Embodiments include method, systems, and computer program products for filtering trust services records. Embodiments include receiving a trust services record that includes a plurality of security components and that is usable to secure data that is stored in an untrusted location. It is determined whether the trust services record has been tampered with, including verifying each of the plurality of security components of the trust services record. The trust services record is filtered based on the determination of whether the trust services record has been tampered with. The filtering includes, when the trust services record is determined to have not been tampered with, allowing performance of at least one task with respect to the secured data; and, when the trust services record is determined to have been tampered with, disallowing performance of any task with respect to the secured data.

Abstract: Embodiments are directed to securely filtering trust services records. In one scenario, a client computer system receives at least one of the following trust services records: a trust services certificate, a principal certificate, a group certificate and a trust services policy. The client computer system performs a time validity check to validate the trust services record's timestamp, performs an integrity check to validate the integrity of the trust services record and performs a signature validity check to ensure that the entity claiming to have created the trust services record is the actual creator of the trust services record. The client computer system then, based on the time validity check, the integrity check and the signature validity check, determines that the trust services record is valid and allows a client computer system user to perform a specified task using the validated trust services record.

Abstract: Embodiments are directed to mapping encryption policies to data stored in a database using a policy identifier, and to accessing data stored in a database using a policy identifier. In one scenario, a computer system receives an indication that identifies which type of encryption is to be applied when encrypting a specified portion of data stored in a database. The database has a database schema identified by a database schema identifier, where the database schema defines relationships for data stored in the database. The computer system then accesses a namespace that identifies a set of databases in which the specified portion of data is accessed in the same manner. The computer system also generates a policy identifier, which contains information including the namespace and the database schema identifier.

Abstract: Embodiments are directed to mapping encryption policies to user data stored in a database using a policy column uniform resource identifier (URI). In one scenario, a computer system receives the following: a database schema name that identifies the name of a specified schema within a relational database in which user data is stored, a table name that identifies a specified table within the relational database, a column name that identifies a specified column in the specified table and a namespace identifier that identifies a set of relational databases. The computer system also receives an indication that identifies which type of encryption is to be applied when encrypting the column of data specified by the column name. The computer system then generates a policy column URI that includes a hierarchical string comprising the namespace identifier, the database schema name, the table name and the column name.

Abstract: In one scenario, a computer system accesses a first principal's public key to generate a group private key that is encrypted using the first principal's public key. The generated group private key provides access to data keys that are used to encrypt data resources. The computer system accesses a second principal's public key to encrypt the generated group private key using the second principal's public key and encrypts at least one of the data keys using a group public key, where the data key allows access to encrypted data resources. The first principal then decrypts the group private key using the first principal's private key, decrypts the data key using the decrypted group private key and accesses the data resource using the decrypted data key. The second principal also performs these functions with their private key to access the data resource.

Abstract: Embodiments are directed to mapping encryption policies to user data stored in a database using a policy column uniform resource identifier (URI). In one scenario, a computer system receives the following: a database schema name that identifies the name of a specified schema within a relational database in which user data is stored, a table name that identifies a specified table within the relational database, a column name that identifies a specified column in the specified table and a namespace identifier that identifies a set of relational databases. The computer system also receives an indication that identifies which type of encryption is to be applied when encrypting the column of data specified by the column name. The computer system then generates a policy column URI that includes a hierarchical string comprising the namespace identifier, the database schema name, the table name and the column name.

Abstract: Embodiments are directed to securely filtering trust services records. In one scenario, a client computer system receives at least one of the following trust services records: a trust services certificate, a principal certificate, a group certificate and a trust services policy. The client computer system performs a time validity check to validate the trust services record's timestamp, performs an integrity check to validate the integrity of the trust services record and performs a signature validity check to ensure that the entity claiming to have created the trust services record is the actual creator of the trust services record. The client computer system then, based on the time validity check, the integrity check and the signature validity check, determines that the trust services record is valid and allows a client computer system user to perform a specified task using the validated trust services record.

Abstract: Embodiments are directed to securing data in the cloud, securely encrypting data that is to be stored in the cloud and to securely decrypting data accessed from the cloud. In one scenario, an instantiated trust service receives information indicating that a trust server is to be instantiated. The trust service instantiates the trust server, which is configured to store key references and encrypted keys. The trust service receives the public key portion of a digital certificate for each publisher and subscriber that is to have access to various specified portions of encrypted data. A data access policy is then defined that specifies which encrypted data portions can be accessed by which subscribers.

Abstract: Systems and method for creating multidimensional data cubes containing data domains for analyzing large amounts of data are provided. Data domains may be included in the major object of a multidimensional data cube. Further embodiments of the present invention provide methods for querying multidimensional data cubes having data domains. Embodiments of the present invention provide for defining data domains by any object in the major object model and for defining parent and child data domains.

Abstract: A simple interface may be provided that enables the user to define parameters for aggregation of a semi-additive measure. The interface may enable the user to designate a measure as a semi-additive measure and to pair the measure with an additive aggregation function. The interface may also enable the user to select non-additive dimensions and to pair each non-additive dimension with a corresponding aggregation function. One such aggregation function is a by account aggregation function, which enables each account in an account dimension to be aggregated across a corresponding non-additive dimension according to an associated account type.

Abstract: Systems and method for creating multidimensional data cubes containing data domains for analyzing large amounts of data are provided. Data domains may be included in the major object of a multidimensional data cube. Further embodiments of the present invention provide methods for querying multidimensional data cubes having data domains. Embodiments of the present invention provide for defining data domains by any object in the major object model and for defining parent and child data domains.

Abstract: The subject invention pertains to the integration of an object model and a multidimensional database query language such as MDX. In particular, multidimensional declarative query language entities can be exposed through objects in an object model. The object model enables generation and employment of procedural language functions, routines, or procedures that interact with multidimensional database data. This effectively provides an extension for multidimensional query languages. For example, procedures can be stored and invoked from a declarative language query. Furthermore, the object model disclosed herein can expose a context object to enable conditional procedures based on the context of execution.

Abstract: The subject disclosure pertains to extensible data mining systems, means, and methodologies. For example, a data mining system is disclosed that supports plug-in or integration of non-native mining algorithms, perhaps provided by third parties, such that they function the same as built-in algorithms. Furthermore, non-native data mining viewers may also be seamlessly integrated into the system for displaying the results of one or more algorithms including those provided by third parties as well as those built-in. Still further yet, support is provided for extending data mining languages to include user-defined functions (UDFs).

Abstract: A system that facilitates one or more of querying and updating a multi-dimensional structure comprises a component that receives a statement in a declarative language relating to a typed object associated with a multi-dimensional structure. A conversion component analyzes context associated with the statement and automatically converts the object to a disparate type as a function of the analysis. For example, an execution engine can comprise the conversion component, and the execution engine can be an Online Analytical Processing (OLAP) engine.

Abstract: A system that facilitates data mining comprises a reception component that receives command(s) in a declarative language that relate to utilizing an output of a first data mining model as an input to a second data mining model. An implementation component analyzes the received command(s) and implements the command(s) with respect to the first and second data mining models. In another aspect of the subject invention, the reception component can receive further command(s) in a declarative language with respect to causing one or more of the first and second data mining models to output a prediction, the prediction desirably generated without prediction input, the implementation component causes the one or more of the first and second data mining models to output the prediction.