ROLE BASED ACCESS CONTROL UTILIZING SCOPED PERMISSIONS

US 20110191485A1
Filed: 02/03/2010
Published: 08/04/2011
Est. Priority Date: 02/03/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

associating a scoped permission assignment with an operation related to a type of at least one resource;

assigning the scoped permission assignment to a role; and

associating the role with a user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods authorizing access to storage system resources are presented herein. A scoped permission assignment can be associated with an operation related to a type of at least one resource. The scoped permission assignment can be assigned to a role; and the role can be associated with user(s). A resource, or one or more resources of a resource group, can be associated with user(s) or user group(s). Further, a user can be authorized to perform the operation on the resource and/or one or more resources based on, at least in part, permission assignments directly granted to the user or granted in a role of the user. In addition, one or more resource flags can be assigned to the one or more resources. Accordingly, the user can be authorized to perform the operation based on, at least in part, the one or more resource flags and the scoped permission assignment.

Citations

25 Claims

1. A method comprising:
- associating a scoped permission assignment with an operation related to a type of at least one resource;
  
  assigning the scoped permission assignment to a role; and
  
  associating the role with a user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - associating at least one of a resource of the at least one resource or a resource group including one or more resources of the at least one resource with the user; and
      
      authorizing the user to perform the operation on at least one of the resource or the one or more resources based on, at least in part, the scoped permission assignment.
  - 3. The method of claim 2, wherein the associating the scoped permission assignment with the operation comprises:
    - associating the scoped permission assignment with the operation related to the type of the at least one resource, wherein the operation includes;
      
      modifying the at least one of the resource or the one or more resources;
      
      utilizing the at least one of the resource or the one or more resources;
      
      orviewing the at least one of the resource or the one or more resources.
  - 4. The method of claim 1, wherein the associating the scoped permission assignment with the operation comprises:
    - associating the scoped permission assignment with the operation related to the type of the at least one resource, wherein the type includes;
      
      a storage volume type referencing a storage volume;
      
      a storage volume group type referencing a storage volume group including at least two storage volumes;
      
      a storage volume access control list type referencing a storage volume access control list defining one or more authorization privileges associated with at least one of the storage volume or the storage volume group;
      
      a storage pool type referencing a storage pool including at least one of two or more storage volumes or one or more storage volume groups;
      
      a storage system type referencing a storage system;
      
      a target port type referencing a target port;
      
      a physical disk type referencing a physical disk;
      
      a host type referencing a host;
      
      a host group type referencing a host group including at least two hosts;
      
      ora storage tier type referencing a storage tier.
  - 5. The method of claim 1, wherein the associating the scoped permission assignment with the operation comprises:
    - associating the scoped permission assignment with the operation related to the type of the at least one resource, wherein the type includes;
      
      a task type referencing a task;
      
      an audit trail type referencing an audit trail;
      
      an alert type referencing an alert of one or more alerts;
      
      an alert configuration type referencing a configuration of the alert;
      
      a license type referencing a license;
      
      a localization type referencing a localization of messages;
      
      an event type referencing an event;
      
      a custom application programming interface (API) type referencing a custom API;
      
      a custom object property type referencing a custom object property;
      
      a user type including a user reference referencing the user;
      
      a user group type including a user group reference referencing a user group including at least two users;
      
      a role type referencing the role;
      
      a resource type referencing the at least one of the resource or the one or more resources;
      
      a resource group type including a resource group reference referencing the resource group;
      
      ora quota type referencing a quota associated with at least one of the resource, the one or more resources, or the storage system.
  - 6. The method of claim 3, wherein the modifying comprises:
    - at least one of modifying, deleting, resizing, locking, restoring, or unlocking a storage volume;
      
      at least one of creating a snapshot of the storage volume, cloning the storage volume, remote replicating the storage volume, compressing the storage volume, encrypting the storage volume, or mirroring the storage volume;
      
      at least one of modifying a storage volume group, adding one or more storage volumes to the storage volume group, deleting the storage volume group, or removing the one or more volumes from the storage volume group;
      
      at least one of enabling access to a storage volume associated with a storage volume ACL from a specified host, or removing the access;
      
      at least one of modifying, creating, deleting, or rescanning a storage pool;
      
      at least one of growing the storage pool;
      
      adding a hotspare to the storage pool, removing the hotspare from the storage pool, changing a status of the storage pool to an online status, or changing the status of the storage pool to an offline status;
      
      modifying a storage system;
      
      setting one or more parameters associated with a target port;
      
      at least one of adding a host, removing the host, modifying the host, adding an initiator port entry associated with the host, or removing the initiator;
      
      orat least one of creating a host group, modifying the host group, deleting the host group, adding one or more hosts to the host group, or removing the one or more hosts from the host group.
  - 7. The method of claim 3, wherein the modifying comprises:
    - at least one of clearing a task or canceling the task;
      
      clearing an audit trail;
      
      setting an alert configuration;
      
      at least one of clearing the alert or clearing one or more alerts;
      
      at least one of setting a license or activating the license;
      
      invoking a custom API;
      
      at least one of getting, setting, or enumerating a custom object property;
      
      at least one of modifying a user reference, deleting the user reference, or setting a password associated with the user reference;
      
      at least one of creating a user group reference, modifying the user group reference, deleting the user group reference, associating at least one user reference with the user group reference, or disassociating the at least one user reference from the user group reference;
      
      at least one of creating a role, modifying the role, deleting the role, associating a permission with the role, or disassociating the permission from the role;
      
      setting at least one of a shared resource flag, an immutable resource flag, or global resource flag associated with at least one resource;
      
      at least one of creating a resource group reference, deleting the resource group reference, associating a user with the resource group reference, disassociating the user from the resource group reference, associating the at least one resource with the resource group reference, or disassociating the at least one resource from the resource group reference;
      
      orat least one of creating, deleting, increasing, or decreasing a quota.
  - 8. The method of claim 3, wherein the utilizing comprises:
    - at least one of creating a storage volume, resizing the storage volume, creating a snapshot of the storage volume, deleting the snapshot of the storage volume, or cloning the storage volume;
      
      creating a storage volume group;
      
      at least one of enabling access to the storage volume, wherein the storage volume is associated with a storage volume ACL from a specified host, or removing the access;
      
      orat least one of creating a user reference, modifying the user reference, or deleting the user reference;
      
      wherein creating a snapshot of the storage volume includes recording whether changes were made to the storage volume; and
      
      wherein cloning the storage volume includes copying the storage volume.
  - 9. The method of claim 3, wherein the viewing comprises:
    - enumerating a storage volume, a storage volume group, a storage volume access control list, a storage pool, a target port, a physical disk, a host, a host group, a task, an alert, an event, a user reference, a user group reference, a role, a resource group, or a quota.
  - 10. The method of claim 3, wherein the associating the scoped permission assignment with the operation comprises:
    - associating the scoped permission assignment with the operation related to the type of the at least one resource;
      
      wherein the scoped permission assignment includes an owner-level permission scope, a group-level permission scope, a system-global-level permission scope, or a grid-level permission scope; and
      
      wherein the authorizing includes authorizing the modifying if the scoped permission assignment includes the system-global-level permission scope.
  - 11. The method of claim 10, wherein the authorizing comprises:
    - authorizing the modifying if the scoped permission assignment includes at least one of the group-level permission scope or the system-global-level permission scope.
  - 12. The method of claim 10, further comprising:
    - assigning one or more resource flags to the at least one resource, wherein the one or more resource flags include at least one of a shared resource flag, an immutable resource flag, or a global resource flag;
      
      wherein the authorizing includes authorizing the modifying, the utilizing, and the viewing based on, at least in part, the one or more resource flags and the scoped permission assignment.
  - 13. The method of claim 12, wherein the authorizing comprises authorizing the utilizing if:
    - the one or more resource flags include the shared resource flag and the scoped permission assignment includes the owner-level permission scope;
      
      the one or more resource flags include the shared resource flag and the global resource flag, and the scoped permission assignment includes the owner-level permission scope or the group-level permission scope;
      
      the one or more resource flags include the shared resource flag and the immutable resource flag, and the scoped permission assignment includes the owner-level permission scope or the group-level permission scope;
      
      orthe one or more resource flags include the shared resource flag, the immutable resource flag, and the global resource flag, wherein the scoped permission assignment includes the owner-level permission scope, the group-level permission scope, or the system-global-level permission scope.
  - 14. The method of claim 12, wherein the authorizing comprises authorizing the modifying if:
    - the one or more resource flags include the shared resource flag and the scoped permission assignment includes the group-level permission scope or the system-global-level permission scope;
      
      the one or more resource flags include the shared resource flag and the global resource flag, and the scoped permission assignment includes the system-global-level permission scope;
      
      orthe one or more resource flags include the shared resource flag and the immutable resource flag, and the scoped permission assignment includes the system-global-level permission scope.
  - 15. The method of claim 12, further comprising:
    - designating at least one user as an owner of the at least one resource;
      
      wherein the authorizing comprises authorizing the modifying by the at least one owner if;
      
      the scoped permission assignment includes the owner-level permission scope, the group-level permission scope, or the system-global-level permission scope;
      
      orthe one or more resource flags include the immutable resource flag and the scoped permission assignment includes the system-global-level permission scope.
  - 16. The method of claim 12, wherein the authorizing comprises authorizing the utilizing by the owner if the one or more resource flags include the immutable resource flag and the scoped permission assignment includes the owner-level permission scope or the group-level permission scope.

17. A system comprising:
- a scope component configured to;
  
  associate one or more types of resources with at least one operation; and
  
  assign at least one scoped permission assignment to the at least one operation; and
  
  a resource component configured to;
  
  assign the at least one scoped permission assignment to at least one role;
  
  associate the at least one role with one or more users; and
  
  permit the one or more users to perform the at least one operation on the one or more types of resources based on, at least in part, the at least one scoped permission assignment.

19. A system comprising:
- a storage component configured to;
  
  create a storage grid including at least two storage systems, wherein a storage system of the at least two storage systems includes one or more storage pools, and wherein a storage pool of the one or more storage pools includes one or more storage mediums; and
  
  a group component configured to;
  
  combine storage pools of the one or more storage pools into one or more storage tiers; and
  
  assign a storage tier of the one or more storage tiers as a resource of a resource group;
  
  wherein a user associated with the resource group is authorized to perform one or more operations on the resource based on, at least in part, one or more resource flags associated with the resource.
- View Dependent Claims (18, 20, 21)
- - 18. The system of claim 19, wherein the scope component is configured to:
    - assign one or more resource flags to the one or more types of resources,wherein the resource component is configured to permit the one or more users to perform the at least one operation on the one or more types of resource based on, at least in part, the one or more resource flags and the at least one scoped permission assignment.
  - 20. The system of claim 19, wherein the group component is configured to:
    - automatically combine the storage pools based on at least one of a storage size of the one or more storage mediums or a utilization rate of the one or more storage mediums.
  - 21. The system of claim 20, further comprising:
    - a pricing component configured to assign one or more fees corresponding to the one or more storage tiers based on the at least one of the storage size or the utilization rate;
      
      wherein the user is authorized to perform the operations on the resource based on, at least in part, the one or more fees.

22. A method comprising:
- assigning a scoped permission assignment to an operation related to a type of one or more resources of a storage grid;
  
  associating a role with the scoped permission assignment;
  
  assigning the role to one or more system administrators of the storage grid; and
  
  partitioning management of the storage grid by the one or more system administrators based on the scoped permission assignment;
  
  wherein the storage grid includes at least one storage system, wherein the at least one storage system includes at least one storage pool, and wherein the at least one storage pool includes at least one storage medium.
- View Dependent Claims (23)
- - 23. The method of claim 22, further comprising:
    - associating at least one resource of the one or more resources with at least one system administrator of the one or more system administrators; and
      
      authorizing the at least one system administrator to perform the operation on the at least one resource based on, at least in part, the scoped permission assignment.

24. A method comprising:
- relating an operation to a type of one or more resources;
  
  assigning a scoped permission assignment to the operation;
  
  correlating the scoped permission assignment with a role;
  
  associating the role with a user; and
  
  authorizing the user to perform the operation on a resource of the one or more resources based on the scoped permission assignment.
- View Dependent Claims (25)
- - 25. The method of claim 24, further comprising:
    - assigning one or more resource flags to the resource; and
      
      authorizing the user to perform the operation on the resource based on the one or more resource flags and the scoped permission assignment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OS NEXUS, Inc.
Original Assignee
OS NEXUS, Inc.
Inventors
Umbehocker, Steven Michael

Granted Patent

US 9,953,178 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06F 16/907   Retrieval characterised by ...

G06F 21/604   Tools and structures for ma...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 3/0605   by facilitating the interac...

G06F 3/0622   in relation to access

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

ROLE BASED ACCESS CONTROL UTILIZING SCOPED PERMISSIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

ROLE BASED ACCESS CONTROL UTILIZING SCOPED PERMISSIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links