Abstract: A data platform for managing an application as a first-class database object. The data object can include User Interface (UI) components. The data application can be shared by a provider account to a plurality of consumer accounts using a share object and based on grant commands. The consumer accounts can deploy and operate the UI component based on the share object.

Abstract: A data platform for developing and deploying a data application. The data platform receives from a first user the data application and provider granted privileges including a consumer usage privilege and a consumer access to data privilege. The data platform authorizes the second user to access the data platform based on one or more consumer account privileges included in a set of account privileges. The data platform authorizes the second user to execute the data application based on the consumer usage privilege. During execution, the data platform authorizes the data application to access the provider database object based on the consumer access to data privilege, and authorizes the data application to access the consumer database object based on a provider access to data privilege provided by the second user.

Abstract: A data platform for developing and deploying a data application. The data platform receives from a first user the data application and provider granted privileges including a consumer usage privilege and a consumer access to data privilege. The data platform authorizes the second user to access the data platform based on one or more consumer account privileges included in a set of account privileges. The data platform authorizes the second user to execute the data application based on the consumer usage privilege. During execution, the data platform authorizes the data application to access the provider database object based on the consumer access to data privilege, and authorizes the data application to access the consumer database object based on a provider access to data privilege provided by the second user.

Abstract: Systems and methods for generating object references with selectable scopes are provided. The systems and methods perform operations including calling, by a first entity, a reference generator function using one or more arguments associated with a database object that the first entity is authorized to access according to a first set of access privileges, the one or more arguments comprising a scope definition that defines persistence of a reference. The operations include obtaining, from the reference generator function, a reference to the database object, the reference persisting according to the scope definition. The operations include passing the reference to a second entity to enable the second entity to perform one or more database operations on the database object according to a second set of access privileges derived from the first set of access privileges.

Abstract: Embodiments of the present disclosure related to sharing applications within a data sharing platform. An example method includes replicating a database from a provider account of a data sharing platform to a consumer account of the data sharing platform. The method further includes executing an installation script within the consumer account to install an application in the consumer account of the data sharing platform responsive to the replicating. The method further includes creating, by a processing device, a set of database roles to manage execution of the application in the consumer account, wherein one or more of the set of database roles determine access privileges granted to the application for accessing the database inside the consumer account. The application is to perform a data processing service relative to a data asset in the database.

Abstract: Methodologies for upgrading and patching an in-database application package and its application instances. A data platform determines a number of objects of an application instance running on the data platform at a previous version level of an application package of the application instance. In response to determining the number of objects of the application package running on the data platform at the previous version level of the application package is one or more, the data platform continues determining the number of objects running on the data platform at a previous version level of the application package. In response to determining the number of objects of the application instance running on the data platform at the previous version level of the application package is none, the data platform upgrades the application instance to the new version of the application package.

Abstract: An in-database application package and application instance for a data platform. The data platform creates an application instance of an application package having a versioned schema, creates one or more system roles for the application instance, creates a user role and an administrator role for the application instance, creates one or more objects of the application instance based on a versioned schema, and grants one or more use privileges to the one or more roles. Application instances of the application package are upgraded or patched on the data platform based on application package versions. To ensure a proper upgrade or patch, the data platform tracks versions of executing objects of application instances in a call context.

Abstract: Disclosed herein are systems and methods for managing database-level roles for data sharing. In an embodiment, a database system shares a database that resides in a data-provider account with a data-consumer account. The provider-side database includes a provider-side database-level role. The database system receives a request to grant the provider-side database-level role to a consumer-side account-level role in the data-consumer account. The database system responsively grants a hidden provider-side database-level role in the data-provider account to a hidden consumer-side database-level role in the data-consumer account, where the hidden provider-side database-level role had been granted to the provider-side database-level role, and grants the hidden consumer-side database-level role to the consumer-side account-level role in the data-consumer account.

Abstract: A data platform for developing and deploying a user application within a unified security context. The data platform authorizes a first user to use an editor to access source code of a user application based on security policies of a security context and authorizes the first user to use an application and data manager to set usage privileges for a second user to use the user application based on the security policies of the security context. To provide the user application to the second user, the data platform deploys the user application by instantiating a User Defined Function (UDF) server and an application engine of the UDF server within the security context, instantiating the user application as an application of the application engine within the security context, and authorizing access by the user application to databased on the security policies of the security context.

Abstract: A data platform for developing and deploying a user application within a unified security context. The data platform authorizes a first user to use an editor to access source code of a user application based on security policies of a security context and authorizes the first user to use an application and data manager to set usage privileges for a second user to use the user application based on the security policies of the security context. To provide the user application to the second user, the data platform deploys the user application by instantiating a User Defined Function (UDF) server and an application engine of the UDF server within the security context, instantiating the user application as an application of the application engine within the security context, and authorizing access by the user application to databased on the security policies of the security context.

Abstract: Embodiments of the present disclosure enable users of a data sharing system to build native applications that can be shared with other users of the data sharing system. The native applications can be published and discovered in the data sharing system like any other data listing, and consumers can install them in their local data sharing system account to serve their data processing needs. A provider may define an installation script for installing an application and create a share object to which the installation script may be attached. In response to an imported database being created in a consumer account based on the share object, a native application framework may automatically execute the installation script in the consumer account and may create a set of database roles to manage execution of the application in the consumer account.

Abstract: An in-database application package and application instance for a data platform. The data platform creates an application instance of an application package having a versioned schema, creates one or more system roles for the application instance, creates a user role and an administrator role for the application instance, creates one or more objects of the application instance based on a versioned schema, and grants one or more use privileges to the one or more roles. Application instances of the application package are upgraded or patched on the data platform based on application package versions. To ensure a proper upgrade or patch, the data platform tracks versions of executing objects of application instances in a call context.

Abstract: A data platform for developing and deploying a data application. The data platform receives from a first user the data application and provider granted privileges including a consumer usage privilege and a consumer access to data privilege. The data platform authorizes the second user to access the data platform based on one or more consumer account privileges included in a set of account privileges. The data platform authorizes the second user to execute the data application based on the consumer usage privilege. During execution, the data platform authorizes the data application to access the provider database object based on the consumer access to data privilege, and authorizes the data application to access the consumer database object based on a provider access to data privilege provided by the second user.

Abstract: A data platform for managing an application as a first-class database object. The data platform includes at least one processor and a memory storing instructions that cause the at least one processor to perform operations including detecting a data request from a browser for a data object located on the data platform, executing a stored procedure, the stored procedure containing instructions that cause the at least one processor to perform additional operations including instantiating a User Defined Function (UDF) server, an application engine, and the application within a security context of the data platform based on a security policy determined by an owner of the data object. The data platform then communicates with the browser using the application engine as a proxy server.

Abstract: A data platform for managing an application as a first-class database object. The data object can include User Interface (UI) components. The data application can be shared by a provider account to a plurality of consumer accounts using a share object and based on grant commands. The consumer accounts can deploy and operate the UI component based on the share object.

Abstract: A data platform for developing and deploying a user application within a unified security context. The data platform authorizes a first user to use an editor to access source code of a user application based on security policies of a security context and authorizes the first user to use an application and data manager to set usage privileges for a second user to use the user application based on the security policies of the security context. To provide the user application to the second user, the data platform deploys the user application by instantiating a User Defined Function (UDF) server and an application engine of the UDF server within the security context, instantiating the user application as an application of the application engine within the security context, and authorizing access by the user application to databased on the security policies of the security context.

Abstract: A consumer account may invoke an operation referencing a set of shared objects stored within a database of a provider account using an imported database that makes the set of shared objects available within the consumer account. A call context of the operation may be updated to cache the imported database, which references a share created from the provider account database, the share having grants to the set of shared objects. One or more database level objects may be discovered in a context of the share and each role granted to the share may be obtained based on the one or more database level objects. Whether any role granted to the share has access to any of the set of shared objects may be determined and the operation may be executed for each of the set of shared objects to which any role granted to the share has access.

Abstract: Methodologies for upgrading and patching an in-database application package and its application instances. A data platform determines a number of objects of an application instance running on the data platform at a previous version level of an application package of the application instance. In response to determining the number of objects of the application package running on the data platform at the previous version level of the application package is one or more, the data platform continues determining the number of objects running on the data platform at a previous version level of the application package. In response to determining the number of objects of the application instance running on the data platform at the previous version level of the application package is none, the data platform upgrades the application instance to the new version of the application package.

Abstract: A data platform for developing and deploying a data application. The data platform receives from a first user the data application and provider granted privileges including a consumer usage privilege and a consumer access to data privilege. The data platform authorizes the second user to access the data platform based on one or more consumer account privileges included in a set of account privileges. The data platform authorizes the second user to execute the data application based on the consumer usage privilege. During execution, the data platform authorizes the data application to access the provider database object based on the consumer access to data privilege, and authorizes the data application to access the consumer database object based on a provider access to data privilege provided by the second user.

Abstract: A data platform for managing an application as a first-class database object. The data platform includes at least one processor and a memory storing instructions that cause the at least one processor to perform operations including detecting a data request from a browser for a data object located on the data platform, executing a stored procedure, the stored procedure containing instructions that cause the at least one processor to perform additional operations including instantiating a User Defined Function (UDF) server, an application engine, and the application within a security context of the data platform based on a security policy determined by an owner of the data object. The data platform then communicates with the browser using the application engine as a proxy server.