System for controlling access to resources in a storage area network

US 20020095602A1
Filed: 01/17/2001
Published: 07/18/2002
Est. Priority Date: 01/17/2001
Status: Active Grant

First Claim

Patent Images

1. A method for implementing security management in a storage area network including at least one storage resource user, a resource provider, and resources controlled by the resource provider, the method comprising the steps of:

providing notification to the storage resource user that a resource provider is available on the storage area network;

requesting access to the resources by sending identifying indicia from the storage resource user to the resource provider, in response to receiving the notification; and

examining a table of approved entities for the identifying indicia to determine whether any resources are available to the requesting storage resource user;

wherein, if the resources are determined to be available to the storage resource user requesting access to the resources, then allowing the storage resource user to access the resources.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for implementing security management in a storage area network by controlling access to network resources. Initially, a resource provider communicates with potential resource users, such as host computers, servers, and workstations, to allow the users to discover the resources available on the storage area network. Resource users that have not previously logged in to a particular resource supply identification information to the resource provider, which places the information in a ‘not yet approved entity’ table. The ‘not yet approved entity’ table is made available to a management station. An administrator, using the management station, then determines whether to authorize use of resources. If access to the requested resource is allowed, the resource user identification information is stored in an ‘approved entity’ table. A login is then allowed by the resource user to the selected resource. Once a resource user has initially logged in, connection information is maintained in the ‘approved entity’ table facilitating subsequent log-in attempts by the resource user.

118 Citations

20 Claims

1. A method for implementing security management in a storage area network including at least one storage resource user, a resource provider, and resources controlled by the resource provider, the method comprising the steps of:
- providing notification to the storage resource user that a resource provider is available on the storage area network;
  
  requesting access to the resources by sending identifying indicia from the storage resource user to the resource provider, in response to receiving the notification; and
  
  examining a table of approved entities for the identifying indicia to determine whether any resources are available to the requesting storage resource user;
  
  wherein, if the resources are determined to be available to the storage resource user requesting access to the resources, then allowing the storage resource user to access the resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 16, 17, 18, 20)
- - 2. The method of claim 1, wherein, if no the resources are determined to be available to the requesting storage resource user, then storing the identifying indicia in a table of not-yet-approved entities.
  - 3. The method of claim 1, wherein the resource provider comprises an RAID controller.
  - 4. The method of claim 3, wherein the table of approved entities is stored in non-volatile memory in the controller.
  - 5. The method of claim 3, wherein a table of not-yet-approved entities comprising a node World Wide Name and a port World Wide Name for a plurality of storage resource users is stored in volatile memory in the controller.
  - 6. The method of claim 1, wherein the resources comprise an array of data storage devices.
  - 7. The method of claim 1, wherein the identifying indicia comprise a node World Wide Name and port World Wide Name.
  - 8. The method of claim 1, further comprising the steps of:
    - uploading a list of available resources from the resource provider to a management station;
      
      uploading the table of not-yet-approved entities from the resource provider to the management station;
      
      selecting a storage resource user identity from the table of not-yet-approved entities;
      
      selecting, from the list of available resources, resources to be made available to the storage resource user;
      
      sending a list of the resources selected and storage resource user identity to the resource provider;
      
      allocating, to the storage resource user, the resources included in the list; and
      
      presenting, to the storage resource user, the resources allocated in the allocating step.
  - 9. The method of claim 8, further comprising the steps of:
    - uploading the table of approved entities from the resource provider; and
      
      optionally selecting the storage resource user identity from the table of approved entities instead of from the table of not-yet-approved entities.
  - 10. The method of claim 8, including storing the resources to be made available to the storage resource user in a LUN access map in the table of approved entities.
  - 11. The method of claim 10, wherein each command received from the storage resource user is checked by the controller against the LUN access map for authentication.
  - 13. The method of claim 12, wherein the indicia comprise the node World Wide Name and port World Wide Name for the storage resource user.
  - 14. The method of claim 12, including the step of providing notification to the storage resource user that a resource is available on the storage area network.
  - 15. The method of claim 12, including the steps of:
    - uploading a list of available data storage areas from the controller to a management station;
      
      uploading the table of not-yet-approved entities from the controller;
      
      selecting the identifying indicia corresponding to a storage resource user, from the table of not-yet-approved entities;
      
      selecting, from the list of available data storage areas, the data storage areas to be made available to the storage resource user;
      
      sending association information to the controller, the association information including a list of the data storage areas to be made available to the storage resource user and the identifying indicia corresponding to a storage resource user; and
      
      allocating, to the storage resource user, the data storage areas included in the association information.
  - 16. The method of claim 12, wherein the data storage areas comprise logical units.
  - 17. The method of claim 16, including storing the data storage areas to be made available to the storage resource user in a LUN access map in the table of approved entities.
  - 18. The method of claim 17, wherein each command received from the storage resource user is checked by the controller against the LUN access map for authentication.
  - 20. The system of claim 19, wherein the first table includes a LUN access map for storing indicia of specific logical units on the data storage areas, and indicia of the storage resource user to which the specific logical units are accessible.

12. A method for implementing security management in a storage area network including at least one storage resource user, an data storage RAID controller, and a data storage array coupled to the controller, the method comprising the steps of:
- granting access to data storage areas on disks in the storage array to specific storage resource users of the at least one storage resource user;
  
  storing, in a table of approved entities in non-volatile memory in the controller, indicia of data storage areas on disks in the storage array accessible to any storage resource user that has been granted access to data storage areas on disks in the storage array;
  
  storing, in a table of not-yet-approved entities in volatile memory in the controller, indicia of any of the at least one storage resource user that have not been granted access to data storage areas on disks in the storage array;
  
  requesting access to the areas by sending at least the identifying indicia from the storage resource user to the resource provider; and
  
  examining the table of approved entities for the identifying indicia to determine whether any of the data storage areas are available to the requesting storage resource user;
  
  wherein, if the data storage areas are determined to be available to the storage resource user requesting access to the data storage areas, then allowing the storage resource user to access the data storage areas;
  
  otherwise, if no the data storage areas are determined to be available to the requesting storage resource user, then storing the identifying indicia in the table of not-yet-approved entities.

19. A system for implementing security management in a storage area network including at least one storage resource user, a resource provider, and resources controlled by the resource provider, the system comprising:
- a first table of approved entities for storing, in memory in the controller, indicia of data storage areas on disks in the storage array and the storage resource user to which the areas are accessible; and
  
  a second table of not-yet-approved entities for storing, in memory in the controller, indicia identifying indicia for storage resource user entities that are presently not allowed access to any resources on the storage area network;
  
  wherein the storage resource user is allowed to access the specific logical units included in the indicia of data storage areas on disks in the storage array, if the indicia in the first table corresponds to identifying indicia provided by the storage resource user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Walker, Michael Dean, Shen, Diana, Pherson, James E., Guttormson, Paul D.

Granted Patent

US 6,968,463 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

System for controlling access to resources in a storage area network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System for controlling access to resources in a storage area network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links