SYSTEM AND METHOD FOR STORAGE OPERATION ACCESS SECURITY

US 20080243795A1
Filed: 03/28/2008
Published: 10/02/2008
Est. Priority Date: 10/17/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method of searching for data objects in a data management system, the method comprising:

receiving one or more criteria describing at least one data object to be located within the data management system;

identifying one or more data objects stored within the data management system that satisfy the received one or more criteria;

determining one or more access rights associated with the identified one or more data objects stored within the data management system; and

providing a filtered list of results that contains the identified one or more data objects, wherein the list is filtered based on the determined one or more access rights.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for controlling access to stored data is provided. The storage access control system leverages a preexisting security infrastructure of a system to inform the proper access control that should be applied to data stored outside of its original location, such as a data backup. The storage access control system may place similar access control restrictions on the backup files that existed on the original files. In this way, the backed up data is given similar protection as that of the original data.

156 Citations

20 Claims

1. A method of searching for data objects in a data management system, the method comprising:
- receiving one or more criteria describing at least one data object to be located within the data management system;
  
  identifying one or more data objects stored within the data management system that satisfy the received one or more criteria;
  
  determining one or more access rights associated with the identified one or more data objects stored within the data management system; and
  
  providing a filtered list of results that contains the identified one or more data objects, wherein the list is filtered based on the determined one or more access rights.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein determining one or more access rights comprises determining access rights based on an identity of a user from which the one or more criteria are received.
  - 3. The method of claim 1 wherein determining one or more access rights comprises determining access rights based on an identity of a process from which the one or more criteria are received.
  - 4. The method of claim 1 wherein determining one or more access rights comprises determining access rights based on an identity of the identified one or more data objects.
  - 5. The method of claim 1 wherein the identified one or more data objects include textual content, and wherein determining one or more access rights comprises determining access rights based on the included textual content.
  - 6. The method of claim 1 wherein providing a filtered list of results comprises removing identified data objects from the results to which the one or more access rights do not grant access.
  - 7. The method of claim 1 wherein providing a filtered list of results comprises providing an indication that access to the results is restricted to results to which the one or more access rights grant access.
  - 8. The method of claim 1 wherein identifying one or more data objects stored within the data management system comprises querying a database that maintains an index of data objects stored within the data management system and access control information associated with the data objects to determine data objects that satisfy the one or more received criteria.
  - 9. The method of claim 1 wherein the access rights associated with the identified one or more data objects are based on access control information associated with source data used to create the one or more data objects.
  - 10. The method of claim 1 wherein the data management system contains multiple copies of certain data objects, and wherein similar access rights are associated with each of the copies of the certain data objects.
  - 11. The method of claim 1 wherein the access rights of a user from which the one or more criteria are received are determined by the membership of the user in one or more Microsoft®
    - Windows Active Directory groups.

12. A computer-readable medium containing instructions for controlling a computer system to restrict access to data objects stored within a storage management system, by a method comprising:
- receiving a request identifying a particular copy of a data object for which access rights are to be determined, wherein the data object has multiple copies;
  
  identifying the entity requesting access to the particular copy of the data object;
  
  querying access control information for the particular copy of the data object from the storage management system, wherein the storage management system determines access control information with each data object when a first instance of the data object is encountered and associates the access control information with each subsequent copy of the data object that is created; and
  
  ,indicating whether the identified entity requesting access to the data object is granted access to the data object based on the access control information associated with the data object by the storage management system, wherein the indication is the same regardless of which of the multiple copies of the data object the request identifies.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer-readable medium of claim 12 wherein identifying the entity requesting access comprises determining the access rights assigned to the entity by a security system.
  - 14. The computer-readable medium of claim 12 wherein different storage operations have been performed on each of the copies of the data object having multiple copies.
  - 15. The computer-readable medium of claim 12 wherein storing access control information for each data object when a first instance of the data object is encountered comprises retrieving access control information associated with a file system in which the data object is stored.
  - 16. The computer-readable medium of claim 12 wherein querying access control information for the particular copy of the data object from the storage management system comprises accessing an index that stores information about each copy of the data object and access control information associated with the data object.
  - 17. The computer-readable medium of claim 12 wherein the entity requesting access is a member of an external security group and identifying the entity requesting access to the particular copy of the data object comprises determining the access rights assigned to members of the external security group.

18. A system for filtering data objects provided in response to a search in a data management system based on access rights associated with the data objects, the system comprising:
- a network security component that provides access control information for data objects stored by one or more computers within the data management system, wherein the access control information is based on access control information associated with source data used to create each data object;
  
  an entity identification component that identifies an entity requesting access to a data object stored within the data management system;
  
  a storage search component that receives criteria and performs searches for data objects within the data management system that satisfy at least one or the criteria; and
  
  a data object access component that determines whether the entity identified by the entity identification component has access to the data objects discovered by the storage search component based on the access control information.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18 wherein the network security component manages storage operations associated with data objects and when a storage operation creates a copy of a data object, migrates access control information associated with the source of the data object to the copy of the data object.
  - 20. The system of claim 18, further comprising a web server component that provides access to data objects and the storage search component through a web browser interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Prahlad, Anand, Varadharajan, Prakash

Application Number

US12/058,518
Publication Number

US 20080243795A1
Time in Patent Office

Days
Field of Search
US Class Current

707/3
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

SYSTEM AND METHOD FOR STORAGE OPERATION ACCESS SECURITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

156 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR STORAGE OPERATION ACCESS SECURITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

156 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links