Generally, the invention relates to providing profile based data
access to users. More specifically, the invention relates to method and
system for providing profile-based data access through a semantic domain
layer.
Background
[002] Most of data visualization and reporting tools available
nowadays, have capabilities to create and configure data connections,
query, join, and filter. These existing tools provide assistance to load and
visualize data from different data sets. Moreover, in order to create data sets
via these tools, there is a need to take help from an Information Technology
(IT) team (or data engineer) to identify right data sources, tables (tables,
fields, joins) and data definitions. Once the data sources are identified, then
using these existing tools, final datasets are created. Further, the final
datasets created, that are available within the existing tools are used for
data visualization and querying activities. Based on the final datasets
created, all business users (or end user) creates reports and dashboard as
per their requirements.
[003] However, there are certain limitations and complications in the
existing tools that are used for data visualization and querying activities. The
limitations in the existing tools includes strong dependency to identify and
create final datasets before the final datasets can be used for reporting and
data visualization purpose. Additionally, the final datasets created using
these existing tools are available and limited within these tools only and can
be consumed internally (i.e., within the tools itself). In other words, the final
datasets created are not visible outside to get consumed by external
applications.
Docket No: IIP-HCL-P0055
-3-
[004] Further, during creation of the final dataset, permissions for
row level and column level for a user are static. In addition, these
permissions have to be defined for the user while creating the final datasets.
Moreover, user level permissions and access need to get defined at user,
role, and group level. This in turn provides limited capabilities for dynamic
user persona detection and available control. Since, user views, filter
conditions, and access levels need to get defined at user, role, and group
level, these existing tools provides less integration and reusability
capabilities of the final datasets created and data definitions.
[005] Also, the existing tools provides limited self-service approach
to business users for creating visualization, reports, and dashboards, as
there is a need of separate report layer to access data sets and create
reports. Moreover, the existing tools are untrustworthy and don’t have a
single source of truth as data sources are available without masking and
encryption. Due to above listed limitations, these existing tools cannot bring
self-service approach to create visualization on top of data, due to
dependency on IT teams or data engineers, and static behavior.
[006] Therefore, there is a need of an efficient and reliable method
and system providing profile-based data and visualization access through a
semantic domain layer.
SUMMARY OF INVENTION
[007] In one embodiment, a method for providing profile-based data
and visualization access through a semantic domain layer is disclosed. The
method may include receiving a user request to access data. The method
may include determining a user profile from a plurality of user profiles
associated with the user. It should be noted that, the plurality of user profiles
corresponds to a plurality of users. The method may include extracting a
first access level from a first set of access levels associated with the user
profile. The method may include mapping the user profile with a domain
object from a plurality of domain objects, based on a second access level
Docket No: IIP-HCL-P0055
-4-
from the first set of access levels associated with the domain object. The
method may include selectively rendering at least a portion of the data
requested in the user request to the user, in response to mapping the user
profile with the domain object.
[008] In another embodiment, a system for providing profile-based
data and visualization access through a semantic domain layer is disclosed.
The system includes a processor and a memory communicatively coupled
to the processor. The memory may store processor-executable instructions,
which, on execution, may causes the processor to receive a user request to
access data. It should be noted that, the plurality of user profiles
corresponds to a plurality of users. The processor-executable instructions,
on execution, may further cause the processor to determine a user profile
from a plurality of user profiles associated with the user. The processorexecutable instructions, on execution, may further cause the processor to
extract a first access level from a first set of access levels associated with
the user profile. The processor-executable instructions, on execution, may
further cause the processor to map the user profile with a domain object
from a plurality of domain objects, based on a second access level from the
first set of access levels associated with the domain object. The processorexecutable instructions, on execution, may further cause the processor to
selectively render at least a portion of the data requested in the user request
to the user, in response to mapping the user profile with the domain object.
[009] It is to be understood that both the foregoing general
description and the following detailed description are exemplary and
explanatory only and are not restrictive of the invention, as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS
[010] The present application can be best understood by reference
to the following description taken in conjunction with the accompanying
drawing figures, in which like parts may be referred to by like numerals.
Docket No: IIP-HCL-P0055
-5-
[011] FIG. 1 illustrates a diagram of a system for providing profilebased data access through a semantic domain layer, in accordance with an
embodiment.
[012] FIG. 2 illustrates a flow diagram of a semantic domain layer
used for providing profile based data access, in accordance with an
embodiment.
[013] FIG. 3 illustrates a flowchart of a method for providing profile
based data access through a semantic domain layer, in accordance with an
embodiment.
[014] FIG. 4 illustrates a flowchart of a method of mapping a user
profile with a domain object from a plurality of domain objects, in accordance
with an embodiment.
[015] FIG. 5 illustrates a flowchart of a method for creating a domain
object, in accordance with an exemplary embodiment.
[016] FIGs. 6A – 6H illustrate an exemplary representation of
creation of a domain object, in accordance with an exemplary embodiment.
[017] FIGs. 7A and 7C illustrate an exemplary representation of a
process of defining a domain object level permission corresponding to a
plurality of users, in accordance with an exemplary embodiment.
[018] FIG. 8 illustrates an exemplary representation of a new user
profile created via a semantic domain layer, in accordance with an
exemplary embodiment.
DETAILED DESCRIPTION OF THE DRAWINGS
[019] The following description is presented to enable a person of
ordinary skill in the art to make and use the invention and is provided in the
context of particular applications and their requirements. Various
modifications to the embodiments will be readily apparent to those skilled in
the art, and the generic principles defined herein may be applied to other
embodiments and applications without departing from the spirit and scope
Docket No: IIP-HCL-P0055
-6-
of the invention. Moreover, in the following description, numerous details
are set forth for the purpose of explanation. However, one of ordinary skill
in the art will realize that the invention might be practiced without the use of
these specific details. In other instances, well-known structures and devices
are shown in block diagram form in order not to obscure the description of
the invention with unnecessary detail. Thus, the invention is not intended to
be limited to the embodiments shown but is to be accorded the widest scope
consistent with the principles and features disclosed herein.
[020] While the invention is described in terms of particular
examples and illustrative figures, those of ordinary skill in the art will
recognize that the invention is not limited to the examples or figures
described. Those skilled in the art will recognize that the operations of the
various embodiments may be implemented using hardware, software,
firmware, or combinations thereof, as appropriate. For example, some
processes can be carried out using processors or other digital circuitry under
the control of software, firmware, or hard-wired logic. (The term “logic”
herein refers to fixed hardware, programmable logic and/or an appropriate
combination thereof, as would be recognized by one skilled in the art to carry
out the recited functions.) Software and firmware can be stored on
computer-readable storage media. Some other processes can be
implemented using analog circuitry, as is well known to one of ordinary skill
in the art. Additionally, memory or other storage, as well as communication
components, may be employed in embodiments of the invention.
[021] A system 100 for providing profile based data access through
a semantic domain layer 102, is illustrated in FIG. 1. In an embodiment, the
semantic domain layer 102 may also be referred to as a self-service
semantic domain layer. The semantic domain layer 102 may facilitate profile
based access permission along with masking, encryption of data, object
control, and schema control. In addition, the semantic domain layer 102 may
be externally accessible from other applications to integrate and load data.
Moreover, the semantic domain layer 102 may auto generate query, joins,
Docket No: IIP-HCL-P0055
-7-
and views with minimal knowledge of data and structure. In order to facilitate
profile based data access, the semantic domain layer 102 may include a set
of components. The set of components may include a Semantic Domain
Layer (SDL) user interface, an SDL query engine, and at least one of a Joint
Database Connectivity (JDBC) and an Open Database Connectivity
(ODBC). This is further explained in detail in conjunction to FIG. 2.
[022] In particular, in order to provide profile based data access to a
user, initially, the semantic domain layer 102 may create a plurality of user
profiles. The plurality of user profiles created may correspond to a plurality
of users. In an embodiment, each of the plurality of user profiles may also
be referred as a user persona. Moreover, each of the plurality of user
profiles may be created by an administrator of the semantic domain layer
102. In an embodiment, the administrator may correspond to a person that
may have access of all functionalities of the semantic domain layer 102. In
other words, the administrator may be referred to as the person that may be
responsible to create new user profiles, create new domain objects, provide
access level and access permission to other users working in an
organization. Examples of the administrator may include, but are not limited
to, owner of an organization, head of a department, or a manager, etc.
[023] Further, each of the plurality of user profiles created may be
associated with at least one of a plurality of user attributes. The plurality of
user attributes may include, but are not limited to at least one of employee
Identifier (ID), organization ID, team ID, business unit ID, user location,
current designation, department, user type, or access levels. Thereafter, the
administrator may assign a first access level from a first set of access levels
to each of the plurality of user profiles via the semantic domain layer 102. In
an embodiment, the first access level may be assigned to verify a user
requesting data access. In order to verify the user, the semantic domain
layer 102 may validate whether, the user requesting the access of data
belongs to the plurality of user profiles created or not. In addition, the first
Docket No: IIP-HCL-P0055
-8-
set of access levels may include a public access level, a private access
level, and a protected access level.
[024] Once the user profile is created, the administrator may create
a plurality of domain objects utilizing the semantic domain layer 102. In order
create the plurality of domain object, at least one data source may be
selected from a plurality of data warehouse and structured files 104.
Examples of the at least one data source may include, but are not limited to
any type of databases, flat files, and web services. A method of creating
each of the plurality of domain objects is explained in detail in conjunction
with FIG. 5. Once the plurality of domain objects are created, the
administrator may assign a second access level from the first set of access
levels to each of the plurality of domain objects via the semantic domain
layer 102.
[025] Further, the semantic domain layer 102 may receive a user
request to access data. Upon receiving the user request, the semantic
domain layer 102 may provide access of the requested data based on
mapping of the user profile with a domain object from the plurality of domain
objects. In an embodiment, the mapping of the user profile with the domain
object may be done only when the user profile of the user requesting the
access of data corresponds to one of the plurality of user profiles created.
Thereafter, at least a portion of the data requested by the user in the user
request may be rendered to the user as an output 106. The portion of
requested data may be rendered to the user in one of a predefined set of
data visualization formats. The predefined set of data visualization formats
may include, but are not limited to, charts, graphs, tables, reports, and
diagrams.
[026] In an embodiment, the system 100 developed with the
semantic domain layer 102 may be referred to as a semantic domain layer
web application. Moreover, the semantic domain layer 102 disclosed may
be platform agnostic. This means that the disclosed sematic domain layer
102 may be integrated with any external platforms. In addition, the
Docket No: IIP-HCL-P0055
-9-
integration of the semantic domain layer 102 may be done without having
to worry about exposing sensitive data and usage of unnecessary filtration
conditions while querying data from various data sources.
[027] Referring now to FIG. 2, a flow diagram of a semantic domain
layer 200 used for providing profile based data and visualization access
through is illustrated, in accordance with an embodiment. In reference to
FIG. 1, the semantic domain layer 200 may correspond to the semantic
domain layer 102. The semantic domain layer 200 may include a set of
components. The set of components may include an SDL user interface
202, an SDL query engine 220, and a JDBC/ODBC driver 230.
[028] First component from the set of components, i.e., the SDL
user interface 202 may be configured to provide a set of functionalities to
each of a plurality of users. In this embodiment, each of the plurality of users
may correspond to an administrator or a user of the semantic domain layer
200. The set of functionalities may include an ease to access, create and
manage each of a plurality of domain objects, selection of at least one data
source, a set of tables, a plurality of fields, and an access level, and access
permission. The access level may correspond to one of a first set of access
levels and one of a second set of access level. In an embodiment, the first
set of access levels may be associated with the plurality of users and the
plurality of domain objects. Additionally, the second set of access levels may
correspond to an encrypted access and a masked access associated with
a plurality of fields within a set of tables. In an embodiment, each of the set
of tables may be associated with one of the plurality of domain objects.
[029] In order to provide access of the set of functionalities, the SDL
user interface 202 may include a domain object management unit 204, a
user management unit 206, and a user based permission unit 208. The user
based permission unit 208 may be associated with a domain object level
210, a feature level 212, and an attribute level 214. In particular, the domain
object management unit 204 may be configured to manage data received
from multiple data sources. In an embodiment, the data received from
Docket No: IIP-HCL-P0055
-10-
multiple data sources may be associated with the plurality of domain
objects. Further, the domain object management unit 204 may identify a set
of tables associated with each of the plurality of domain objects.
[030] Moreover, the data received from multiple data sources may
be present in denormalized form in each of the set of tables. It should be
noted that, every row of the set of tables identified may correspond to an
instance of each of the plurality of domain objects. Once the set of tables
are identified, the domain object management unit 204 may normalize data
present within each of the set of tables. In other words, the domain object
management unit 204 may create an alias for at least one of a plurality of
fields within the set of tables. The plurality of fields may correspond to one
of a row and a column within one of the set of tables. In an embodiment, the
alias may be created to standardize data representation across each of the
set of tables.
[031] In an embodiment, each of the plurality of domain objects may
also be referred as an entity set. Moreover, each of the plurality of domain
objects may correspond to a collection of categorical properties, i.e., feature
vectors and attribute vectors. In an embodiment, the feature vectors may
correspond to a plurality of rows present within the set of tables. In addition,
the attribute vectors may correspond to a plurality of columns present within
the set of tables. Further, each of the collection of categorical properties
may be used for setting granular level access permissions on each of the
plurality of domain objects based on the plurality of user profiles. The
plurality of user profiles may correspond to each of the plurality of users.
[032] Further, the user management unit 206 may be configured to
create and manage each of the plurality of user profiles corresponding to
the plurality of users. In an embodiment, each of the plurality of user profiles
may be created based on at least one of the plurality of user attributes
associated with each of the plurality of users. The plurality of user attributes
may include, but are not limited to at least one of employee ID, organization
ID, team ID, business unit ID, user location, current designation,
Docket No: IIP-HCL-P0055
-11-
department, user type, and access level. An exemplary embodiment
depicting creation of user profile has been explained in detail in conjunction
with FIG. 8.
[033] Moreover, the user based permission unit 208 may be
configured to assign the access level and the access permission to access
at least one of the plurality of domain objects. The access level and access
permissions may be assigned based on the user profile of each of the
plurality of users. The access level may correspond to one of a first set of
access level and one of a second set of access level. In addition, the access
permissions may correspond to permissions defined for each of the plurality
of users to access the plurality of domain objects. In an embodiment, the
access permission may be defined based on the access level assigned.
[034] In an embodiment, a first access level from the first set of
access levels may be assigned to each of the plurality of users. In addition,
a second access level form the first set of access levels may be assigned
based on each of the plurality of domain objects. In present FIG. 2, the
second access level corresponding to each of the plurality of domain objects
may assigned at the domain object level 210.
[035] In one embodiment, when the second access level from the
first set of access levels may be defined to be the public access level for at
least one domain object from the plurality of domain objects, name of the at
least one domain object may be visible to one or more of the plurality of user
based on their associated user profiles. In addition, the at least one domain
object may be accessible by each of the plurality of users. In another
embodiment, when the second access level from the first set of access
levels may be defined to be the private access level for at least one domain
object from the plurality of domain objects, name and accessibility of the at
least one domain object may be provided to at least one user from the
plurality of users having permissions to see and access the at least one
domain object. In yet another embodiment, when the second access level
from the first set of access levels may be defined to be the protected access
Docket No: IIP-HCL-P0055
-12-
level for at least one domain object from the plurality of domain object, name
of the at least one domain object may be visible to each of the plurality of
users. In addition, the at least one domain object may be accessible by at
least one of the plurality of users having permissions to access the at least
one domain object.
[036] Further, one of the second set of access levels may be
assigned to at least one of the plurality of fields. In an embodiment, the
second set of access levels may include the encrypted access and the
masked access of one of the plurality of fields, to at least one of the plurality
of users. Each of the plurality of fields may be present within the set of
tables. Further, each of the plurality of fields may correspond to one of the
row and the column within one of the set of tables. In an embodiment, an
access level from the second set of access levels corresponding to the row
of at least one of the plurality of fields may be assigned at the feature level
212. In addition, an access level from the second set of access level
corresponding to the column of at least one of the plurality of fields may be
assigned at the attribute level 214.
[037] Once the plurality of user profiles and the plurality of domain
objects are created, the SDL user interface 202 may verify a user request
received to access data via an identify/authorization server 218. In addition,
the identify/authorization server 218 may be configured to identify profile of
the user that may be requesting the access of the data. Moreover, the
identify/authorization server 218 may be responsible to map the user with
the domain object associated with the user profile.
[038] Further, the SDL user interface 202 may store a metadata
information associated with each of the plurality of users to access each of
the plurality of domain objects in a metadata store 216. The metadata
information may include the user profile of each of the plurality of users,
information of each of the plurality of domain objects, and the access level
assigned to each of the plurality of users for the plurality of domain objects.
Docket No: IIP-HCL-P0055
-13-
Once the metadata information is stored in the metadata store 216, then the
stored metadata information may be utilized by the SDL query engine 220.
[039] The SDL query engine 220 may utilize the metadata
information to provide access of at least one domain object from the plurality
of domain objects to at least one of the plurality of users. In an embodiment,
the SDL query engine 220 may correspond to data definition web
Application Programming Interface (API). Moreover, the SDL query engine
220 may provide access of data present in the at least one domain object
to at least one of the plurality of users based on the access level defined for
the at least one of the plurality of users. A method of providing access of the
at least one domain object has been explained in detail in conjunction with
FIG. 3.
[040] Further, in order to provide access of the data to the at least
one user, the SDL query engine 220 may include a domain object listing unit
222, a field listing unit 224, a query interface 226, and a dynamic formation
of metadata unit 228. The domain object listing unit 222 may be configured
to list a set of allowed domain object from the plurality of domain objects
that is accessible by the at least one user. The field listing unit 224 may be
configured to list one or more fields present within the set of tables to the at
least one user. Each of the set of tables may be associated with the set of
allowed domain objects that is accessible by the at least one user. The
query interface 226 may be configured to verify a query generated to access
the domain. The query generated may be represented as depicted below
via an equation (1):
DomainObject.ObjectProperty.AccessControlled = True/False …
(1)
[041] In above equation (1), domain object may correspond to the
domain object from the plurality of domain objects. Object property may
correspond to a type of the domain object. In other words, the object
Docket No: IIP-HCL-P0055
-14-
property may depict a set of predefined properties associated with the
domain object. By way of an example, one of the set of predefined
properties may correspond to the first set of access level defined for the
domain object. The first set of access level may include a public access
level, a private access level, and a protected access level. In an
embodiment, the administrator of the semantic domain layer 200 may define
one of the first set of access levels for at least one user to access the domain
object. Further, the administrator of the semantic domain layer 200 may
modify the one of the first set of access levels defined for the domain object
as per requirement of the at least one user. For example, the administrator
may modify one of the first set of access levels based on organizational
hierarchy (e.g., parent, child of) and type of data present in the domain
object (e.g., master data, transaction data).
[042] Access control may correspond to the access permission
defined for the at least one user corresponding to the domain object. In an
embodiment, when the query generated may be defined to be true, then the
data of that domain object may be accessible by the at least one user. In
another embodiment, when the query generated may be defined to be false,
then the data of that domain object may not be accessible by the at least
one user. It should be noted that, default value of the query generated for
each of the plurality of domain objects may be defined to be false. Moreover,
user (i.e., the administrator) of the semantic layer may change the default
value based on his requirement.
[043] Further, in order to verify the query generated, the SDL query
engine 220 may interact with the metadata store 216 of the SDL user
interface 202 and a JDBC/ODBC driver 230. In other words, the SDL query
engine 220 may act a connector between the SDL user interface 202 and
the JDBC/ODBC driver 230. Once the generated query is verified, the
dynamic formation of metadata unit 228, may dynamically fetch and render
the data corresponding to the set of allowed domain objects, to the at least
one user.
Docket No: IIP-HCL-P0055
-15-
[044] In an embodiment, the JDBC/ODBC driver 230 may be
configured to hold list of each of the plurality of domain objects and the
plurality of fields corresponding to each of the plurality of users. In addition,
the JDBC/ODBC driver 230 may be configured to retrieve one of the second
access level assigned to the row for each of the plurality of fields from the
set of allowed domain objects. It should be noted that, the JDBC/ODBC
driver 230 may be available as 32bit and 64bit to support framework for the
semantic domain layer 200. In an embodiment, the JDBC/ODBC driver 230
may also be referred as data connection drivers.
[045] Further, the JDBC/ODBC driver 230 may facilitate querying of
data received from various data sources via the semantic domain layer 200.
In addition, queries in standard Structured Query Language (SQL) may be
directly accessed via the JDBC/ODBC driver 230 to query data including
conditions like, ‘where’, ‘join’, ‘group’ and ‘order’. In addition, the
JDBC/ODBC driver 230 may be highly optimized to enables better
performance for the semantic domain layer 200. In addition, the
JDBC/ODBC driver 230 provides an additional layer of data security for the
data.
[046] In order to facilitate querying of data, the JDBC/ODBC driver
230 may include POSTGRES 232, HIVE 234, MYSQL 236, and MSSQL
238. The POSTGRES 232 may correspond to an open source object
relational database management system. The HIVE 234 may correspond to
a data warehouse software. The MYSQL 236 may correspond to a
community driven database management system. The MSSQL 238 may
correspond to a relational database management system.
[047] In particular, as will be appreciated by those of ordinary skill in
the art, the semantic domain layer 200 described herein may be
implemented in any computing device, either by hardware, software, or
combinations of hardware and software. For example, suitable code may be
accessed and executed by the one or more processors on any computing
device to perform some or all of the techniques described herein. Similarly,
Docket No: IIP-HCL-P0055
-16-
application specific integrated circuits (ASICs) configured to perform some
or all of the processes described herein may be included in the one or more
processors on the computing system. Moreover, the functionality of various
components of the semantic domain layer 200 may be integrated with any
computing devices.
[048] Referring now to FIG. 3, a flowchart of a method for providing
profile based data access through a semantic domain layer is illustrated, in
accordance with an embodiment. In reference to FIG. 1 and FIG. 2, once
the semantic domain layer is created, any user may access data via the
semantic domain layer (for example, the semantic domain layer 102) based
on their user profile. Initially, at step 302, a plurality of user profiles may be
created. In an embodiment, the plurality of user profiles may correspond to
a plurality of users. Moreover, each of the plurality of user profiles may be
associated with at least one of a plurality of user attributes. The plurality of
user attributes may include at least one employee ID, organization ID, team
ID, business unit ID, user location, current designation, department, user
type, and access level. In other words, each of the plurality of user attributes
associated with the plurality of user profiles may be defined based on goal,
role, and scope of work associated with each of the plurality of users. In an
embodiment, each of the plurality of user profiles may correspond to a user
persona.
[049] Once the plurality of user profiles is created, at step 304, a
user request may be received to access data. In an embodiment, the data
may correspond to an information associated with at least of a plurality of
domain objects. Upon receiving, the user request, at step 306, a user profile
associated with the user may be determined from the plurality of user
profiles created. In other words, the user profile of the user requesting the
access of the data may be determined. Once the user profile is determined,
at step 308, a first access level associated with the user profile may be
extracted from a first set of access levels. In other words, the first access
level may correspond to an access level associated with the user profile. In
Docket No: IIP-HCL-P0055
-17-
an embodiment, the first set of access levels may include a public access
level, a private access level, and a protected access level.
[050] By way of an example, based on the first access level
extracted, the user profile may be validated. In order to validate the user
profile, a check may be performed. The check may be performed to identify
which one of the public access level, the private access level, or protected
access level the first access level extracted corresponds to. In one
embodiment, when the first access level extracted corresponds to the public
access level, then the user of that user profile may only have access to all
public data. In another embodiment, when the first access level extracted
corresponds to the private access level, then the user of that user profile
may additionally have access to all private data. In yet another embodiment,
when the first access level extracted corresponds to the protected access
level, then the user of that user profile may additionally have access to all
protected data in hashed format.
[051] Once the user is validated based on the first access level
extracted, at step 310, the user profile may be mapped with a domain object
from a plurality of domain objects. A process of mapping the user profile
with the domain object is explained in detail in conjunction with FIG. 4. In an
embodiment, the user profile may be mapped with the domain object based
on a second access level from the first set of access levels associated with
the domain object. In other words, the second access level may correspond
to an access level associated with the domain object. By way of an example,
based on the assigned second access level, the domain object may be
identified. In order to identify the domain object, a check may be performed
on the mapped domain object. The check may be performed to determine
that the second access level associated with the domain object corresponds
to which one of the public access level, the private access level, or protected
access level.
[052] In one embodiment, when the second access level associated
with the domain object corresponds to the public access level, then the user
Docket No: IIP-HCL-P0055
-18-
may be able to see name of that domain object. In addition, the user may
be able to access all data present in the domain object corresponding to the
public access level. In another embodiment, when the second access level
associated with the domain object corresponds to the private access level.
Then, the user may be able to see name and access data of that domain
object only if the user has permission to access that domain object. In yet
another embodiment, when the second access level associated with the
domain object corresponds to the protected access level. Then, the name
of the domain object may be visible to the user. However, the user may
access data of the domain object with protected access level, only when he
has permission to access data.
[053] Once the mapping of the user profile with the domain object is
done, at step 312, at least a portion of the data requested may be selectively
rendered to the user. In an embodiment, the portion of data may correspond
to a part of the data requested by the user in the user request. It should be
noted that, the portion the data requested may be rendered to the user in
response to mapping the user profile with the domain object. Moreover, at
step 314, at least a portion of the data requested by the user may be
presented in one of a predefined set of data visualization formats. The
predefined set of data visualization formats may include, but is not limited
to, charts, graphs, tables, and diagrams.
[054] Referring now to FIG. 4, a flowchart of a method of mapping a
user profile with a domain object from a plurality of domain objects is
illustrated, in accordance with an embodiment. In reference to FIG. 3, as
mentioned in step 310, in order to map the user profile with the domain
object, at step 402, a domain object may be created. In an embodiment, the
domain object created may be communicatively coupled to a semantic
domain layer. In reference to FIG. 1, the semantic domain layer may
correspond to the semantic domain layer 102. A process of creating the
domain object has been explained in detail in conjunction with FIG. 5. It
should be noted that, for ease of explanation creation of one domain object
Docket No: IIP-HCL-P0055
-19-
is considered. However, the plurality of domain objects may be initially
created. Further, based on the user request received the domain object from
the plurality of domain objects may be mapped.
[055] Once the domain object is created, at step 404, the second
access level from the first set of access levels is assigned to the domain
object. The first set of access levels may include the public access level, the
private access level, and the protected access level. It should be noted that,
the second access level may be assigned to each of the plurality of domain
objects created. Once the second access level is assigned to each of the
plurality of domain objects, mapping of the user profile may be done with
the domain object from the plurality of domain objects.
[056] Referring now to FIG. 5, a flowchart of a method for creating
domain objects is illustrated, in accordance with an exemplary embodiment.
In conjunction to FIG. 4, in order to create the domain as mentioned in step
402, at step 502, at least one data source may be selected for the domain
object. Examples of the at least one data source may include, but are not
limited to any type of databases, flat files, and web services. Once the at
least one data source is selected, at step 504, a set of tables from the at
least one data source. The set of tables identified may be associated with
the domain object. Further, in order to identify the set of tables from the at
least one data source, at step 506, at least one link may be created between
one or more of the set of tables. In an embodiment, the at least one link may
be created based on associated fields from the plurality of fields.
[057] Upon identifying the set of tables, at step 508, one of the first
set of access levels may be assigned to each of the plurality of fields. In an
embodiment, each of the plurality of fields may be present within the set of
tables. Further, at step 510, one of the first set of access level may be
assigned to each of the plurality of users. In reference to FIG. 3, one of the
first set of access levels assigned to each of the plurality of users may
correspond to the first access level. Moreover, one of the first set of access
level may be assigned for each of the plurality of domain objects and
Docket No: IIP-HCL-P0055
-20-
associated one or more fields. In reference to FIG. 3, one of the first set of
access levels assigned to each of the plurality of domain objects may
correspond to the second access level.
[058] Further, at step 512, a second set of access levels may be
assigned to at least one of the plurality of fields. In an embodiment, the
second set of access level may include, but are not limited to an encrypted
access and a masked access. In addition, each of the plurality of fields may
correspond to one of a row and a column within one of the set of tables. In
an embodiment, once the first set of access levels and the set of access
levels are assigned, at step 514, an alias may be created for at least one of
the plurality of field. In an embodiment, the alias may be created to
standardize data representation across the set of tables.
[059] Referring now to FIGs. 6A– 6H, an exemplary representation
of creation of a domain object is depicted, in accordance with an exemplary
embodiment. In FIG. 6A, a User Interface (UI) 600a of a semantic domain
layer representing a list of the plurality of domain objects is depicted. It
should be noted that, for ease of explanation, creation of one domain object
is illustrated. However, each of the plurality of domain objects may be
created as illustrated in present FIGs. 6A- 6H. In reference to FIG. 1, the
semantic domain layer may correspond to the semantic domain layer 102.
Left side of the UI 600a represents a menu that includes a set of options.
The set of options includes dashboard, domain object, user management,
and permissions. Each of the plurality of users may select one of the set of
options based on his requirement. For example, a user from the plurality of
users may select domain object option to view a list of plurality of domain
objects created. The domain object list includes a first set of selectable
options.
[060] The first set of selectable options includes domain object
name, database name, and access level as depicted in present FIG. 6A.
The domain object name may represent name of each of the plurality of
domain objects. For examples, domain object name ‘sales data’ may include
Docket No: IIP-HCL-P0055
-21-
data associated with sales. Further, database name may represent data
source from which data associated with that domain object name is fetched.
Further, access level may represent access level assigned for each of the
plurality of domain objects. In an embodiment, the access level may be
assigned initially while creating each of the plurality of domain objects.
[061] Moreover, the domain object list represented on the user
interface 600a further depicts a second set of selectable options. The
second set of selectable options includes fields, joins, and where details. In
present FIG. 6A, fields option is selected. The field option selected may
depict field name of each of the plurality of field. Data type associated with
each of the plurality of fields. Access level assigned for each of the plurality
of fields. Mask/encrypted access assigned for each of the plurality of fields.
In an embodiment, access control may correspond to the access level, i.e.,
the first set of access levels and the second set of access levels. In an
embodiment, a default value for the access control may be defined to be the
public access level for the plurality of users to access each of the plurality
of fields. Moreover, one or more of the plurality of users with access control
defined to be the public access level may not have access of at least one of
the plurality of fields with the protected access level and the private access
level. Further, one or more of the plurality of users with access control
defined to be the protected access level may have access of entire schema
of the domain object. However, data of at least one of the plurality of fields
having the private access level may be selectively masked from one or more
of the plurality of users having the protected access level. In addition, one
or more of the plurality of users with access control defined to be the private
access level may have access of entire schema of the domain object without
any masked/encrypted access on data present in each of the plurality of
fields. It should be noted that, the access level for the plurality of fields
corresponding to the row may be defined explicitly so that partial or full data
is visible to at least one of the plurality of users. Moreover, the access level
defined for the plurality of fields corresponding to the row may not override
Docket No: IIP-HCL-P0055
-22-
the encrypted access and the masked access defined for the column of the
plurality of fields.. In addition, each of the plurality of user may be able to
create a new domain object via an ‘+object’ button present below header of
the UI 600a.
[062] Once a user from the plurality of user selects the ‘+object’
button to create the new object domain, a UI 600b of the semantic domain
layer may be opened as depicted in FIG. 6B. The user may create the new
domain object via the UI 600b. In order to create the new domain object, the
user may select one of a data warehouses details from a drop down list as
depicted in UI 600b. In FIG. 6B, the drop down list includes SQL server,
SQLite, and dynamic database. It should be noted that, the drop down list
may include any number of data warehouse details. Once the one of the
data warehouse details is selected, the user needs to enter his login
credentials, i.e., a username and a password to create the new domain
object. Once the user enters details in the UI 600b, then the user needs to
click on ‘next’ button present of right most corner of the UI 600b as depicted
in FIG. 6B.
[063] Once the user clicks on the next button, a UI 600c may open
as depicted in FIG.6C. The user may easily access at least one data source
by providing his login credentials. Further, the user may select at least one
data source from a drop drown list depicted in the UI 600c as select
database. Once the user selects the at least one data source, the user may
click on ‘next button’ present below in right corner of the UI 600c.
[064] Upon clicking on the next button, based on selection of the at
least one data source, a UI 600d may be opened as depicted in FIG. 6D.
The user may then select relevant tables from a drop down list of available
tables to create a new domain object as depicted via the UI 600d. In present
FIG. 6D, the relevant tables may correspond to selected tables as depicted
in the UI 600d. In reference to FIG. 5, the relevant tables may correspond
to the set of tables identified. In one embodiment, the user can select the
relevant tables by clicking on relevant table name and on ‘an add button’
Docket No: IIP-HCL-P0055
-23-
depicted in the UI 600d. In another embodiment, the user may right click on
relevant table name and then drag and drop, the relevant table name in the
selected tables. In addition, the user may put aliasing for names of the
relevant tables. Thereafter, the user may click on next button present below
in right corner of the UI 600d.
[065] Once the relevant tables are selected, upon clicking on next
button, a UI 600e may be opened as depicted in the FIG. 6E. The user may
then select fields from each of the relevant tables. In reference to FIG. 5,
the fields may correspond to the plurality of fields. Further, the user may
assign one of the first set of access level to each of the plurality of fields via
the UI 600e. In addition, the second set of access levels may be assigned
to at least one of the plurality of fields via the UI 600e. The second set of
access levels may include the encrypted access and the masked access on
field values. In addition, the user may put aliasing for names of each of the
plurality of fields. Thereafter, the user may click on next button present
below in right corner of the UI 600e.
[066] Once the relevant tables and the plurality of fields are
selected, then after click on the next button depicted in the UI 600e, a UI
600f may be opened as depicted via FIG. 6F. The UI 600f may depict table
join details. The UI 600f may capture join details of the relevant tables
selected, from the user. In other words, the user may define join details of
the relevant tables selected via the UI 600f. The user may select a list of
possible joins available for the relevant tables from a dropdown list depicted
in the UI 600f. Once the list of possible joins is selected, the user may click
on next button present below in right corner of the UI 600f.
[067] Further, the user may add where condition while creating new
domain object via a UI 600g as depicted in FIG. 6G. In an embodiment, the
user may add multiple condition while fetching data form multiple data
sources, as per his requirements. Other examples of multiple conditions
may include, but is not limited to, ‘‘join’, ‘group’ and ‘order’. Moreover, the
conditions may be added on basis of metadata information captured for the
Docket No: IIP-HCL-P0055
-24-
domain object created. Once the ‘where’ condition is added, the user may
click on next button present below in right corner of the UI 600g. In FIG. 6H,
a UI 600h representing a domain object summary is depicted. The UI 600h
may represent all information captured in previous FIGs. 6A – 6G. In other
words, the UI 600h may represent information like, the relevant tables
selected, the plurality of fields selected, the join details, and the where
conditions.
[068] Referring now to FIGs. 7A – 7C, an exemplary representation
of defining a domain object level permission corresponding to a plurality of
users is illustrated, in accordance with an exemplary embodiment. In FIG.
7A, a UI 700a of a semantic domain layer is depicted. In reference to FIG.
1, the semantic domain layer may correspond to semantic domain layer 102.
As depicted in FIG. 7A, a second access level from the first set of access
level may be assigned to each of the plurality of users via the UI 700a. The
second access level may be assigned to provide access of one or more
domain objects to each of the plurality of users. In an embodiment, the first
set of access level may include the public access level, the private access
level, and the protected access level.
[069] As depicted in present FIG. 7A, in order to assign the second
access level for the domain object, a username may be selected. The
username may depict the name of the user for whom the access level and
the access permissions associated with a specific domain are required to
be changed. Further, the specific domain object from the plurality of domain
objects may be selected. The specific domain object may correspond to the
domain object whose access level and access permissions may be changed
for the user selected via the username. Thereafter, user access type name
may be selected for the selected username. The user access type selected
may depict one of the first set of access level selected. By way of an
example, the user access type may be selected to be public access level
(i.e., public) corresponding to the username and the specific domain object
as depicted via the UI 700a.
Docket No: IIP-HCL-P0055
-25-
[070] Lastly, permission to access the specific domain object may
defined for the selected username. As depicted in present FIG. 7A, the user
selected via the username, may be allowed to access the specific domain
object. Once the access level and the access permissions corresponding to
the specific domain object are selected for the user, an administrator may
click on execute button displayed below in left corner of the UI 700a. In an
embodiment, the administrator may correspond to a person that may have
access to all functionalities of the semantic domain layer. Examples of the
administrator may include but is not limited to, owner of organization, head
of department, manager, etc. Moreover, via the UI 700a, any user from the
plurality of user may be restricted to access any domain object just by
selecting his username and the domain object.
[071] Once the access level and the access permissions are defined
for the user, then the administrator may assign a second set of access level
to each of a plurality of fields via a UI 700b as depicted in FIG. 7B and FIG.
7C. In an embodiment, each of the plurality of fields may corresponds to one
of the row and the column within each of the set of tables. Moreover, the
second set of access level may include the encrypted access and the
masked access. In reference to FIG. 6D, the set of tables may correspond
to the relevant tables selected. It should be noted that, before assigning the
second set of access level, one of the first set of access level may be
assigned to each of the plurality of fields.
[072] As depicted in FIG. 7B, one of the second set of access level
may be assigned for each row associated with each of the plurality of field.
In an embodiment, each row present within the set of tables may correspond
to the feature vector. Moreover, one of the second set of access level for
each row may be easily assigned by selecting the username, the domain
object, and one or more field from the plurality of fields. By way of an
example, the administrator may allow the selected user to view records of a
specific country corresponding to the domain object selected via the UI
700b.
Docket No: IIP-HCL-P0055
-26-
[073] Similarly, the second set of access level for each column
associated with each of the plurality of field may be assigned via a UI 700c.
In an embodiment, each column present within the set of tables may
correspond to the attribute vector. The administrator may assign the second
set of access level for each column corresponding to each of the plurality of
users via the UI 700c. Moreover, one of the second set of access level for
each column may be easily assigned by selecting the username, and the
domain object as depicted in present FIG. 7C. In other words, the
administrator may restrict or allow access of any column present within the
set of tables to any user from the plurality of user.
[074] Referring now to FIG. 8, an exemplary representation of a new
user profile created via a semantic domain layer is depicted, in accordance
with an exemplary embodiment. A UI 800 of a semantic domain layer
depicts the new user profile created by an administrator. The new user
profile may be associated with a new user. In reference to FIG. 1, the
semantic domain layer may correspond to the semantic domain layer 102.
In an embodiment, the administrator may correspond to a person that may
have access of all functionalities of the semantic domain layer. The
administrator may be the person that may be responsible to create the new
user profile, create new domain object, provide access level and access
permission to other user working in organization. Examples of the
administrator may include but is not limited to, owner of organization, head
of department, manager, etc.
[075] In order to create the new user profile, the administrator may
click on user management option from the set of options, present in left side
of the menu. Once the user management option is selected, the UI 800 may
open as depicted in present FIG. 8. The administrator may then click on
‘+user’ button to create the new user profile. Once the administrator clicks
on ‘+user’ button, login credentials and information associated with the new
user may be defined. The login credentials may include username and
password. It should be noted that, the new user may change his password,
Docket No: IIP-HCL-P0055
-27-
once his user profile is created. In addition, the information associated with
the new user may include his first name, last name, email ID, date of birth,
etc. Thereafter, the administrator may assign at least one of the plurality of
domain objects to the new users. As depicted in present FIG. 8, a set of
fourteen domain object has been assigned to the new user. In reference to
FIG. 1 to 7, each of the set of fourteen domain objects may be assigned
based on process disclosed in above figures. It should be noted that, the
new user may access each of the set of fourteen domain objects assigned,
by using his login credentials. Moreover, the “is active” icon displayed in the
UI 800 may help the administrator to identify whether the new user created
is active or not. In an embodiment, the administrator may see active state
of each of the plurality of user under is active icon. Once the new user is
created, the new user may edit his basic user profile details via an edit option
displayed in the UI 800. Example of the basic user profile details may
include login password, his name, email ID, etc.
[076] Various embodiments provide method and system for
providing profile-based data and visualization access through a semantic
domain layer. The disclosed method and system may receive a user request
to access data. Moreover, the disclosed method and system may determine
a user profile from a plurality of user profiles associated with the user. The
plurality of user profiles corresponds to a plurality of users. Further, the
disclosed method and system may extract a first access level from a first set
of access levels associated with the user profile. In addition, the disclosed
method and system may map the user profile with a domain object from a
plurality of domain objects, based on a second access level from the first
set of access levels associated with the domain object. Thereafter, the
disclosed method and system may selectively render at least a portion of
the data requested in the user request to the user, in response to mapping
the user profile with the domain object.
[077] The system and method provide some advantages like, the
system and the method may provide exposure and reuse of pre-created
Docket No: IIP-HCL-P0055
-28-
datasets across multiple tools having single source of truth of data access,
thereby minimizing dependency of IT teams. Further, the disclosed method
and system may enable dynamic application, control permissions, and user
access based on user persona even without modifying query. In addition,
the disclosed method and system may provide dynamic behavior to control
rows and column level of data access based on user persona (GEO, roles,
authorizations). Moreover, the disclosed method and system may define
auto join and may detect relationship between data and user. Additionally,
the disclosed method and the system may hide, mask and encrypt data
based on user persona.
[078] It will be appreciated that, for clarity purposes, the above
description has described embodiments of the invention with reference to
different functional units and processors. However, it will be apparent that
any suitable distribution of functionality between different functional units,
processors or at least may be used without detracting from the invention.
For example, functionality illustrated to be performed by separate
processors or controllers may be performed by the same processor or
controller. Hence, references to specific functional units are only to be seen
as references to suitable means for providing the described functionality,
rather than indicative of a strict logical or physical structure or organization.
[079] Although the present invention has been described in
connection with some embodiments, it is not intended to be limited to the
specific form set forth herein. Rather, the scope of the present invention is
limited only by the claims. Additionally, although a feature may appear to be
described in connection with particular embodiments, one skilled in the art
would recognize that various features of the described embodiments may
be combined in accordance with the invention.
[080] Furthermore, although individually listed, a plurality of means,
elements or process steps may be implemented by, for example, a single
unit or processor. Additionally, although individual features may be included
in different claims, these may possibly be advantageously combined, and
Docket No: IIP-HCL-P0055
-29-
the inclusion in different claims does not imply that a combination of features
is not feasible and/or advantageous. Also, the inclusion of a feature in one
category of claims does not imply a limitation to this category, but rather the
feature may be equally applicable to other claim categories, as appropriate.

CLAIMS
WHAT IS CLAIMED IS:
1. A method (300) for providing profile-based data and visualization access
through a semantic domain layer (102), the method comprising:
receiving (304), by the semantic domain layer (102), a user request
to access data;
determining (306), by the semantic domain layer (102), a user profile
from a plurality of user profiles associated with the user, wherein the plurality
of user profiles correspond to a plurality of users;
extracting (308), by the semantic domain layer (102), a first access
level from a first set of access levels associated with the user profile;
mapping (310), by the semantic domain layer (102), the user profile
with a domain object from a plurality of domain objects, based on a second
access level from the first set of access levels associated with the domain
object; and
selectively rendering (312), by the semantic domain layer (102), at
least a portion of the data requested in the user request to the user, in
response to mapping the user profile with the domain object.
2. The method of claim 1, further comprising;
creating (402) the domain object, wherein the domain object is
communicatively coupled to the semantic domain layer, and wherein
creating the domain object comprises:
selecting (502) at least one data-source for the domain object;
and
Docket No: IIP-HCL-P0055
-31-
identifying (504) a set of tables from the at least one datasource to be associated with the domain object, wherein identifying
the set of tables from the at least one data-source comprises:
automatically creating (506) at least one link between
one or more of the set of tables based on associated fields
from the plurality of fields; and
assigning (404) the second access level of the first set of access
levels to the domain object, wherein the first set of access levels comprises
a public access level, a private access level, and a protected access level.
3. The method of claim 2, further comprising:
assigning (508) one of the first set of access levels to each of a
plurality of fields within the set of tables;
assigning (510) one of the first set of access levels to each of the
plurality of users, wherein one of the first set of access levels is assigned
for each of the plurality of domain objects and associated one or more fields;
assigning (512) one a second set of access levels to at least one of
the plurality of fields, wherein the second set of access levels comprises an
encrypted access and a masked access, and wherein each of the plurality
of fields corresponds to one of a row and a column within one of the set of
tables; and
creating (514) an alias for at least one of the plurality of field to
standardize data representation across the set of tables.
4. The method of claim 1, further comprising creating (302) the plurality of
user profiles, wherein each of the plurality of user profiles is associated with
Docket No: IIP-HCL-P0055
-32-
at least one of a plurality of user attributes, and wherein the plurality of user
attributes comprises at least one of employee Identifier (ID), organization
ID, team ID, business unit ID, user location, or current designation.
5. The method of claim 1, wherein rendering comprises presenting (314) at
least the portion of the data in one of a predefined set of data visualization
formats.
6. A system for providing profile-based data and visualization access
through a semantic domain layer (102), the system comprising:
a processor; and
a memory communicatively coupled to the processor, wherein the
memory stores processor executable instructions, which, on execution,
causes the processor to:
receive (304) a user request to access data;
determine (306) a user profile from a plurality of user profiles
associated with the user, wherein the plurality of user profiles correspond to
a plurality of users;
extract (308) a first access level from a first set of access levels
associated with the user profile;
map (310) the user profile with a domain object from a plurality of
domain objects, based on a second access level from the first set of access
levels associated with the domain object; and
selectively render (312) at least a portion of the data requested in the
user request to the user, in response to mapping the user profile with the
domain object.
Docket No: IIP-HCL-P0055
-33-
7. The system of claim 6, wherein the processor executable instructions
further cause the processor to:
create (402) the domain object, wherein the domain object is
communicatively coupled to the semantic domain layer, and wherein the
processor executable instructions cause the processor to create the domain
object by:
selecting (502) at least one data-source for the domain object;
and
identifying (504) a set of tables from the at least one datasource to be associated with the domain object, and wherein the
processor executable instructions cause the processor to identify the
set of tables from the at least one data-source by:
automatically creating (506) at least one link between
one or more of the set of tables based on associated fields
from the plurality of fields; and
assign (404) the second access level of the first set of access levels
to the domain object, wherein the first set of access levels comprises a
public access level, a private access level, and a protected access level.
8. The system of claim 7, wherein the processor executable instructions
further cause the processor to:
assign (508) one of the first set of access levels to each of a plurality
of fields within the set of tables;
assign (510) one of the first set of access levels to each of the
plurality of users, wherein one of the first set of access levels is assigned
for each of the plurality of domain objects and associated one or more fields;
Docket No: IIP-HCL-P0055
-34-
assign (512) one a second set of access levels to at least one of the
plurality of fields, wherein the second set of access levels comprises an
encrypted access and a masked access, and wherein each of the plurality
of fields corresponds to one of a row and a column within one of the set of
tables; and
create (514) an alias for at least one of the plurality of field to
standardize data representation across the set of tables.
9. The system of claim 6, wherein the processor executable instructions
further cause the processor to create (302) the plurality of user profiles,
wherein each of the plurality of user profiles is associated with at least one
of a plurality of user attributes, and wherein the plurality of user attributes
comprises at least one of employee Identifier (ID), organization ID, team ID,
business unit ID, user location, or current designation.
10. The system of claim 6, wherein the processor executable instructions
cause the processor to render by presenting (314) at least the portion of the
data in one of a predefined set of data visualization formats.