Dynamically redacting confidential information
US-2020314068-A1 · Oct 1, 2020 · US
Project-based permission system
US12299106B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12299106-B2 |
| Application number | US-202318109134-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 13, 2023 |
| Priority date | Oct 8, 2019 |
| Publication date | May 13, 2025 |
| Grant date | May 13, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods, systems, and apparatus, including computer programs encoded on computer storage media for data security protection are provided. One of the methods includes: receiving a job associated with a project, wherein the project is associated with one or more data sources; identifying a plurality of inputs and a plurality of outputs associated with the job; determining a plurality of required permissions associated with the job, wherein each of the required permissions comprises an operation on a required data source, the operation corresponding to at least one of the inputs or the outputs; verifying that the one or more data sources associated with the project comprise the required data source associated with each of the required permissions; and generating a token associated with the job, the token encoding the required permissions associated with the job, wherein the token is required for execution of the job.
First claim
Opening claim text (preview).
The invention claimed is: 1. A computer-implemented method, implemented by a computing system, the method comprising: receiving, from a client device associated with a user or from a service, a job associated with a project, wherein the project is associated with one or more data sources; determining first permissions corresponding to the client device or the service and second permissions corresponding to a second client device or a second service, wherein: each of the first permissions comprises an operation on a data source; generating a token associated with the job, the token encoding the first permissions or the second permissions; receiving a request from the client device or the service for the token; determining whether the client device or the service is authorized to execute the job based on the first permissions; in response to determining that the client device or the service is authorized to execute the job, granting the token to the client device or the service to enable the client device or the service to execute the job; and in response to executing the job, selectively transmitting a result of the execution of the job to a different client device or a different service based on whether the different client device or the different service is authorized to access the result, based on the second permissions. 2. The computer-implemented method of claim 1 , wherein the job comprises one or more data transformations. 3. The computer-implemented method of claim 1 , wherein the one or more data sources associated with the project comprise: one or more data sources internal to the project; or one or more data sources external to the project, wherein the project comprises a reference to each of the one or more data sources external to the project. 4. The computer-implemented method of claim 1 , wherein the one or more required permissions comprise: reading data from a data source external to the project; or writing to a data source external to the project. 5. The computer-implemented method of claim 1 , further comprising: communicating, to the client device or the service, a response approving the request. 6. The computer-implemented method of claim 1 , further comprising: obtaining a result associated with execution of the one or more data transformations; verifying that the service possesses one or more access permissions associated with accessing the result; and providing the result to the service. 7. The computer-implemented method of claim 1 , wherein the service comprises a first service, the request comprises a first request, and the computer-implemented method further comprising: receiving, from a second service, a second request to execute one or more data transformations, wherein the second request comprises the token associated with the job; determining that at least one of the one or more data transformations require a permission exceeding the permissions encoded in the token; and communicating, to the second service, a response denying the request. 8. A system comprising: at least one processor; and a memory storing instructions that, when executed by the at least one processor, cause the system to perform operations comprising: receiving, from a client device associated with a user or from a service, a job associated with a project, wherein the project is associated with one or more data sources; determining first permissions corresponding to the client device or the service and second permissions corresponding to a second client device or a second service, wherein: each of the first permissions comprises an operation on a data source; generating a token associated with the job, the token encoding the first permissions or the second permissions; receiving a request from the client device or the service for the token; determining whether the client device or the service is authorized to execute the job based on the first permissions; in response to determining that the client device or the service is authorized to execute the job, granting the token to the client device or the service to enable the client device or the service to execute the job; and in response to executing the job, selectively transmitting a result of the execution of the job to a different client device or a different service based on whether the different client device or the different service is authorized to access the result, based on the second permissions. 9. The system of claim 8 , wherein the job comprises one or more data transformations. 10. The system of claim 8 , wherein the one or more data sources associated with the project comprise: one or more data sources internal to the project; or one or more data sources external to the project, wherein the project comprises a reference to each of the one or more data sources external to the project. 11. The system of claim 8 , wherein the one or more required permissions comprise: reading data from a data source external to the project; or writing to a data source external to the project. 12. The system of claim 8 , wherein the instructions that, when executed by the at least one processor, cause the system to perform operations comprising: communicating, to the client device or the service, a response approving the request. 13. The system of claim 8 , wherein the instructions that, when executed by the at least one processor, cause the system to perform operations comprising: obtaining a result associated with execution of the one or more data transformations; verifying that the service possesses one or more access permissions associated with accessing the result; and providing the result to the service. 14. The system of claim 8 , wherein the service comprises a first service, the request comprises a first request, and the instructions that, when executed by the at least one processor, cause the system to perform operations comprising: receiving, from a second service, a second request to execute one or more data transformations, wherein the second request comprises the token associated with the job; determining that at least one of the one or more data transformations require a permission exceeding the permissions encoded in the token; and communicating, to the second service, a response denying the request. 15. A non-transitory computer readable medium comprising instructions that, when executed, cause one or more processors to perform: receiving, from a client device associated with a user or from a service, a job associated with a project, wherein the project is associated with one or more data sources; determining first permissions corresponding to the client device or the service and second permissions corresponding to a second client device or a second service, wherein: each of the first permissions comprises an operation on a data source; generating a token associated with the job, the token encoding the first permissions or the second permissions; receiving a request from the client device or the service for the token; determining whether the client device or the service is authorized to execute the job based on the first permissions; in response to determining that the client device or the service is authorized to execute the job, granting the token to the client device or the service to enable the client device or the service to execute the job; and in response to executing the job, selectively transmitting a result of the execution of the job to a different client device or a different service based on whether the different client device or the different service is authorized to acce
Assignees
Inventors
Classifications
Protecting access to data via a platform, e.g. using keys or access control rules · CPC title
Tools and structures for managing or administering access control systems · CPC title
Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues · CPC title
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
Entity profiles · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12299106B2 cover?
- Methods, systems, and apparatus, including computer programs encoded on computer storage media for data security protection are provided. One of the methods includes: receiving a job associated with a project, wherein the project is associated with one or more data sources; identifying a plurality of inputs and a plurality of outputs associated with the job; determining a plurality of required …
- Who is the assignee on this patent?
- Palantir Technologies Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/335. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue May 13 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).