Access management in a data storage system

US 10,225,325 B2
Filed: 02/13/2015
Issued: 03/05/2019
Est. Priority Date: 02/13/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by a first computer system of a data storage system and from a clientdevice, a first request by a requester to access first information managed by the data storage system;

providing, by the first computer system, credential information included in the first request to an identity management (IDM) system for authenticating the requester, the IDM system comprising one or more second computer systems;

receiving, by the first computer system, from the IDM system, an access token that is generated by the IDM system upon authenticating the requester using the credential information sent to the IDM system, wherein the access token indicates that the requester is authenticated by the IDM system;

determining a plurality of roles associated with the requester and with the access token, wherein the plurality of roles specifies a set of privileges for the plurality of roles for accessing information managed by the data storage system;

storing, in a cache of the first computer system, the access token for the requester in association with the plurality of roles;

determining, by the first computer system and without communicating with the IDM system, whether the requester is authorized to access the first information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the first information comprises determining that the plurality of roles associated with the access token comprises a first role that permits the requester to access the first information;

based on determining that the requester is authorized to access the first information, sending, by the first computer system, the first information to a device of the requester;

based on a second request by the requester to access second information managed by the data storage system, determining, by the first computer system, that the requester has previously been authenticated by the IDM system based on identifying that the access token is stored in the cache for the requester;

based on determining that the requester is authenticated by the IDM system according to the access token, determining, by the first computer system and without communicating with the IDM system, the plurality of roles associated with the access token by retrieving the plurality of roles associated with the access token stored in the cache;

determining, by the first computer system and without communicating with the IDM system, whether the requester is authorized to access the second information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the second information comprises determining that the plurality of roles associated with the access token comprises a second role that permits the requester to access the second information; and

based on determining that the requester is authorized to access the second information, sending, by the first computer system, the second information to the device of the requester.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for managing access to information stored in a data storage system of an organization is provided. In an embodiment, the data storage system may be configured to receive a request from a requester on a client device to access information stored in the data storage system. In some aspects, upon receiving the request, the first system may determine that an access token identifying the requester is stored in a cache in the data storage system. In some aspects, the data storage system may then retrieve one or more roles from the cache. In some examples, the roles may be associated with the access token. In certain embodiments, the data storage system may then be configured to determine that the requester is authorized to access the information based on the roles and provide the information to the requester on the client device.

Citations

20 Claims

1. A computer-implemented method comprising:
- receiving, by a first computer system of a data storage system and from a clientdevice, a first request by a requester to access first information managed by the data storage system;
  
  providing, by the first computer system, credential information included in the first request to an identity management (IDM) system for authenticating the requester, the IDM system comprising one or more second computer systems;
  
  receiving, by the first computer system, from the IDM system, an access token that is generated by the IDM system upon authenticating the requester using the credential information sent to the IDM system, wherein the access token indicates that the requester is authenticated by the IDM system;
  
  determining a plurality of roles associated with the requester and with the access token, wherein the plurality of roles specifies a set of privileges for the plurality of roles for accessing information managed by the data storage system;
  
  storing, in a cache of the first computer system, the access token for the requester in association with the plurality of roles;
  
  determining, by the first computer system and without communicating with the IDM system, whether the requester is authorized to access the first information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the first information comprises determining that the plurality of roles associated with the access token comprises a first role that permits the requester to access the first information;
  
  based on determining that the requester is authorized to access the first information, sending, by the first computer system, the first information to a device of the requester;
  
  based on a second request by the requester to access second information managed by the data storage system, determining, by the first computer system, that the requester has previously been authenticated by the IDM system based on identifying that the access token is stored in the cache for the requester;
  
  based on determining that the requester is authenticated by the IDM system according to the access token, determining, by the first computer system and without communicating with the IDM system, the plurality of roles associated with the access token by retrieving the plurality of roles associated with the access token stored in the cache;
  
  determining, by the first computer system and without communicating with the IDM system, whether the requester is authorized to access the second information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the second information comprises determining that the plurality of roles associated with the access token comprises a second role that permits the requester to access the second information; and
  
  based on determining that the requester is authorized to access the second information, sending, by the first computer system, the second information to the device of the requester.
- View Dependent Claims (2, 3, 4, 5, 15, 16, 17, 18, 19, 20)
- - 2. The computer-implemented method of claim 1, further comprising:
    - identifying, by the first computer system, the credential information included in the first request; and
      
      providing, by the first computer system, the access token to the device of the requester.
  - 3. The computer-implemented method of claim 1, wherein determining the plurality of roles includes receiving, by the first computer system, from the IDM system, the plurality of roles of the requester to be associated with the access token received from the IDM system.
  - 4. The computer-implemented method of claim 1, wherein determining that the first role permitted to access the first information is included in the plurality of roles associated with the access token stored for the requester comprises comparing, by the first computer system, an access control list associated with the first information with the plurality of roles associated with the access token, wherein the access control list indicates at least one role permitted to access the first information.
  - 5. The computer-implemented method of claim 3, wherein the set of privileges is based on an access policy that enables the requester to access at least one of the first information or the second information.
  - 15. The computer-implemented method of claim 1, further comprising:
    - determining, at the data storage system, a first storage node that stores the first information; and
      
      accessing a first access control list at the first storage node, the first access control list for managing access to the first information, wherein the first role is indicated by the first access control list;
      
      determining, at the data storage system, a second storage node that stores the second information; and
      
      accessing a second access control list stored at the second storage node, the second access control list for managing access to the second information, wherein the second role is indicated by the second access control list.
  - 16. The method of claim 15, wherein the first storage node is different from the second storage node, wherein the first access control list is different from the second access control list, and wherein the first information is different from the second information.
  - 17. The computer-implemented method of claim 1:
    - wherein the plurality of roles are stored in the cache; and
      
      wherein determining, without communicating with the IDM system, the plurality of roles associated with the access token by retrieving the plurality of associated with the access token stored in the cache comprises retrieving the plurality of roles from the cache.
  - 18. The computer-implemented method of claim 1, wherein determining that the first role permitted to access the first information is included in the plurality of roles associated with the access token stored for the requester is performed without communicating with the IDM system.
  - 19. The computer-implemented method of claim 1, wherein the first role and the second role are different;
    - and wherein the first role and the second role define different access rights for the requester with respect to, respectively, the first information and the second information.
  - 20. The computer-implemented method of claim 1, further comprising:
    - receiving, by the first computer system and from the IDM system, first data indicating the plurality of roles and second data indicating that the access token is associated with the plurality of roles; and
      
      determining, by the first computer system, the plurality of roles associated with the requester and with the access token based on the first data and the second data.

6. A system comprising:
- a memory configured to store computer-executable instructions; and
  
  at least one processor configured to access the memory and execute the computer- executable instructions to perform operations to;
  
  receive, from a client device, a first request by a requester to access first information managed by a data storage system;
  
  provide credential information included in the first request to an identity management (IDM) system for authenticating the requester, the IDM system comprising one or more second computers;
  
  receive from the IDM system, an access token that is generated by the IDM system upon authenticating the requester using the credential information sent to the IDM system, wherein the access token indicates that the requester is authenticated by the IDM system;
  
  determine a plurality of roles associated with the requester and with the access token, wherein the plurality of roles specifies a set of privileges for the plurality of roles for accessing information managed by the data storage system;
  
  store, in a cache of the system, the access token for the requester in association with the plurality of roles;
  
  determine, without communicating with the IDM system, whether the requester is authorized to access the first information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the first information comprises determining that the plurality of roles associated with the access token comprises a first role that permits the requester to access the first information;
  
  based on determining that the requester is authorized to access the first information, send, the first information to a device of the requesterbased on a second request by the requester to access second information managed by the data storage system, determine that the requester has previously been authenticated by the IDM system based on identifying that the access token is stored in the cache for the requester;
  
  based on determining that the requester is authenticated by the IDM system according to the access token, determine, without communicating with the IDM system, the plurality of roles associated with the access token by retrieving the plurality of roles associated with the access token stored in the cache;
  
  determine, without communicating with the IDM system, whether the requester is authorized to access the second information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the second information comprises determining that the plurality of roles associated with the access token comprises a second role that permits the requester to access the second information; and
  
  based on determining that the requester is authorized to access the second information, sending the second information to the device of the requester.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the at least one processor is configured to execute the computer-executable instructions to:
    - identify the credential information included in the first request;
      
      and provide the access token to the device of the requester.
  - 8. The system of claim 6, wherein the at least one processor is configured to execute the computer-executable instructions to determine the plurality of roles by receiving, from the IDM system, the plurality of roles of the requester to be associated with the access token received from the IDM system.
  - 9. The system of claim 6, wherein the at least one processor is further configured to execute the computer-executable instructions to determine that the first role permitted to access the first information is included in the plurality of roles associated with the access token stored for the requester by comparing an access control list associated with the first information with the plurality of roles associated with the access token, wherein the access control list indicates at least one role permitted to access the first information.
  - 10. The system of claim 6, wherein the set of privileges is based on an access policy that enables the requester to access at least one of the first information or the second information.

11. One or more non-transitory computer-readable media storing computer-executable instructions executable by one or more processors of a system, the computer-executable instructions comprising:
- instructions that cause the one or more processors to receive, from a client device, a first request by a requester to access first information managed by a data storage system;
  
  instructions that cause the one or more processors to provide credential information included in the first request to a IDM system of an identity management (IDM) system for authenticating the requester, the IDM system comprising one or more second computers;
  
  instructions that cause the one or more processors to receive from the IDM system, an access token that is generated by the IDM system upon authenticating the requester using the credential information sent to the IDM system, wherein the access token indicates that the requester is authenticated by the IDM system;
  
  instructions that cause the one or more processors to determine a plurality of roles associated with the requester and with the access token, wherein the plurality of roles specifies a set of privileges for the plurality of roles for accessing information managed by the data storage system;
  
  instructions that cause the one or more processors to store, in a cache of the system, the access token for the requester in association with the plurality of roles;
  
  instructions that cause the one or more processors to determine, without communicating with the IDM system, whether the requester is authorized to access the first information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the first information comprises determining that the plurality of roles associated with the access token comprises a first role that permits the requester to access the first information;
  
  instructions that cause the one or more processors to, based on determining that the requester is authorized to access the first information, send the first information to a device of the requester;
  
  instructions that cause the one or more processors to, based on a second request by the requester to access second information managed by the data storage system, determine that the requester has previously been authenticated by the IDM system based on identifying that the access token is stored in the cache for the requester;
  
  instructions that cause the one or more processors to, based on determining that the requester is authenticated by the IDM system according to the access token, determine, without communicating with the IDM system, the plurality of roles associated with the access token by retrieving the plurality of roles associated with the access token stored in the cache;
  
  instructions that cause the one or more processors to determine, without communicating with the IDM system, whether the requester is authorized to access the second information based upon the plurality of roles and the set of privileges, wherein determining whether the requester is authorized to access the second information comprises determining that the plurality of roles associated with the access token comprises a second role that permits the requester to access the second information; and
  
  instructions that cause the one or more processors to, based on determining that the requester is authorized to access the second information, send the second information to the device of the requester.
- View Dependent Claims (12, 13, 14)
- - 12. The computer-readable media of claim 11, the instructions further comprising:
    - instructions that cause the one or more processors to identify credential information included in the first request; and
      
      instructions that cause the one or more processors to provide the access token to the device of the requester.
  - 13. The computer-readable media of claim 11, the instructions further comprising instructions that cause the one or more processors to determine the plurality of by receiving, from the IDM system, the plurality of roles of the requester to be associated with the access token received from the IDM system.
  - 14. The computer-readable media of claim 11, the instructions further comprising instructions that cause the one or more processors to determine that the first role permitted to access the first information is included-in the plurality of roles associated with the access token stored for the requester by comparing an access control list associated with the first information with the plurality of roles associated with the access token, wherein the access control list indicates at least one role permitted to access the first information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Schincariol, Merrick, Revanuru, Naresh
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Dhruv, Darshan I

Application Number

US14/622,648
Publication Number

US 20150227749A1
Time in Patent Office

1,481 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 9/5072   Grid computing

H04L 41/0806   for initial configuration o...

H04L 67/10   in which an application is ...

H04L 67/1097   for distributed storage of ...

Access management in a data storage system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access management in a data storage system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links