Access management in a data storage system
First Claim
1. A computer-implemented method comprising:
- receiving, by a first computer system of a data storage system and from a clientdevice, a first request by a requester to access first information managed by the data storage system;
providing, by the first computer system, credential information included in the first request to an identity management (IDM) system for authenticating the requester, the IDM system comprising one or more second computer systems;
receiving, by the first computer system, from the IDM system, an access token that is generated by the IDM system upon authenticating the requester using the credential information sent to the IDM system, wherein the access token indicates that the requester is authenticated by the IDM system;
determining a plurality of roles associated with the requester and with the access token, wherein the plurality of roles specifies a set of privileges for the plurality of roles for accessing information managed by the data storage system;
storing, in a cache of the first computer system, the access token for the requester in association with the plurality of roles;
determining, by the first computer system and without communicating with the IDM system, whether the requester is authorized to access the first information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the first information comprises determining that the plurality of roles associated with the access token comprises a first role that permits the requester to access the first information;
based on determining that the requester is authorized to access the first information, sending, by the first computer system, the first information to a device of the requester;
based on a second request by the requester to access second information managed by the data storage system, determining, by the first computer system, that the requester has previously been authenticated by the IDM system based on identifying that the access token is stored in the cache for the requester;
based on determining that the requester is authenticated by the IDM system according to the access token, determining, by the first computer system and without communicating with the IDM system, the plurality of roles associated with the access token by retrieving the plurality of roles associated with the access token stored in the cache;
determining, by the first computer system and without communicating with the IDM system, whether the requester is authorized to access the second information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the second information comprises determining that the plurality of roles associated with the access token comprises a second role that permits the requester to access the second information; and
based on determining that the requester is authorized to access the second information, sending, by the first computer system, the second information to the device of the requester.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for managing access to information stored in a data storage system of an organization is provided. In an embodiment, the data storage system may be configured to receive a request from a requester on a client device to access information stored in the data storage system. In some aspects, upon receiving the request, the first system may determine that an access token identifying the requester is stored in a cache in the data storage system. In some aspects, the data storage system may then retrieve one or more roles from the cache. In some examples, the roles may be associated with the access token. In certain embodiments, the data storage system may then be configured to determine that the requester is authorized to access the information based on the roles and provide the information to the requester on the client device.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
- receiving, by a first computer system of a data storage system and from a client
device, a first request by a requester to access first information managed by the data storage system; providing, by the first computer system, credential information included in the first request to an identity management (IDM) system for authenticating the requester, the IDM system comprising one or more second computer systems; receiving, by the first computer system, from the IDM system, an access token that is generated by the IDM system upon authenticating the requester using the credential information sent to the IDM system, wherein the access token indicates that the requester is authenticated by the IDM system; determining a plurality of roles associated with the requester and with the access token, wherein the plurality of roles specifies a set of privileges for the plurality of roles for accessing information managed by the data storage system; storing, in a cache of the first computer system, the access token for the requester in association with the plurality of roles; determining, by the first computer system and without communicating with the IDM system, whether the requester is authorized to access the first information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the first information comprises determining that the plurality of roles associated with the access token comprises a first role that permits the requester to access the first information; based on determining that the requester is authorized to access the first information, sending, by the first computer system, the first information to a device of the requester; based on a second request by the requester to access second information managed by the data storage system, determining, by the first computer system, that the requester has previously been authenticated by the IDM system based on identifying that the access token is stored in the cache for the requester; based on determining that the requester is authenticated by the IDM system according to the access token, determining, by the first computer system and without communicating with the IDM system, the plurality of roles associated with the access token by retrieving the plurality of roles associated with the access token stored in the cache; determining, by the first computer system and without communicating with the IDM system, whether the requester is authorized to access the second information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the second information comprises determining that the plurality of roles associated with the access token comprises a second role that permits the requester to access the second information; and based on determining that the requester is authorized to access the second information, sending, by the first computer system, the second information to the device of the requester. - View Dependent Claims (2, 3, 4, 5, 15, 16, 17, 18, 19, 20)
- receiving, by a first computer system of a data storage system and from a client
-
6. A system comprising:
-
a memory configured to store computer-executable instructions; and at least one processor configured to access the memory and execute the computer- executable instructions to perform operations to; receive, from a client device, a first request by a requester to access first information managed by a data storage system; provide credential information included in the first request to an identity management (IDM) system for authenticating the requester, the IDM system comprising one or more second computers; receive from the IDM system, an access token that is generated by the IDM system upon authenticating the requester using the credential information sent to the IDM system, wherein the access token indicates that the requester is authenticated by the IDM system; determine a plurality of roles associated with the requester and with the access token, wherein the plurality of roles specifies a set of privileges for the plurality of roles for accessing information managed by the data storage system; store, in a cache of the system, the access token for the requester in association with the plurality of roles; determine, without communicating with the IDM system, whether the requester is authorized to access the first information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the first information comprises determining that the plurality of roles associated with the access token comprises a first role that permits the requester to access the first information; based on determining that the requester is authorized to access the first information, send, the first information to a device of the requester based on a second request by the requester to access second information managed by the data storage system, determine that the requester has previously been authenticated by the IDM system based on identifying that the access token is stored in the cache for the requester; based on determining that the requester is authenticated by the IDM system according to the access token, determine, without communicating with the IDM system, the plurality of roles associated with the access token by retrieving the plurality of roles associated with the access token stored in the cache; determine, without communicating with the IDM system, whether the requester is authorized to access the second information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the second information comprises determining that the plurality of roles associated with the access token comprises a second role that permits the requester to access the second information; and based on determining that the requester is authorized to access the second information, sending the second information to the device of the requester. - View Dependent Claims (7, 8, 9, 10)
-
-
11. One or more non-transitory computer-readable media storing computer-executable instructions executable by one or more processors of a system, the computer-executable instructions comprising:
-
instructions that cause the one or more processors to receive, from a client device, a first request by a requester to access first information managed by a data storage system; instructions that cause the one or more processors to provide credential information included in the first request to a IDM system of an identity management (IDM) system for authenticating the requester, the IDM system comprising one or more second computers; instructions that cause the one or more processors to receive from the IDM system, an access token that is generated by the IDM system upon authenticating the requester using the credential information sent to the IDM system, wherein the access token indicates that the requester is authenticated by the IDM system; instructions that cause the one or more processors to determine a plurality of roles associated with the requester and with the access token, wherein the plurality of roles specifies a set of privileges for the plurality of roles for accessing information managed by the data storage system; instructions that cause the one or more processors to store, in a cache of the system, the access token for the requester in association with the plurality of roles; instructions that cause the one or more processors to determine, without communicating with the IDM system, whether the requester is authorized to access the first information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the first information comprises determining that the plurality of roles associated with the access token comprises a first role that permits the requester to access the first information; instructions that cause the one or more processors to, based on determining that the requester is authorized to access the first information, send the first information to a device of the requester; instructions that cause the one or more processors to, based on a second request by the requester to access second information managed by the data storage system, determine that the requester has previously been authenticated by the IDM system based on identifying that the access token is stored in the cache for the requester; instructions that cause the one or more processors to, based on determining that the requester is authenticated by the IDM system according to the access token, determine, without communicating with the IDM system, the plurality of roles associated with the access token by retrieving the plurality of roles associated with the access token stored in the cache; instructions that cause the one or more processors to determine, without communicating with the IDM system, whether the requester is authorized to access the second information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the second information comprises determining that the plurality of roles associated with the access token comprises a second role that permits the requester to access the second information; and instructions that cause the one or more processors to, based on determining that the requester is authorized to access the second information, send the second information to the device of the requester. - View Dependent Claims (12, 13, 14)
-
Specification