ACCESS CONTROL OF DATA IN A DISPERSED STORAGE NETWORK
First Claim
1. A method for execution by one or more processing modules of one or more computing devices, the method comprises:
- in response to a data access request that includes a data access request type, a data object identifier of a data object, and a user identifier of a user of a user device, accessing hierarchical data access control information that includes;
a plurality of logical memory access control files, wherein a logical memory access control file of the plurality of logical memory access control files includes a list of users that have access to a particular logical memory space and a list of corresponding access rights to data stored within the particular logical memory space; and
a plurality of sets of data object access control files, wherein a set of data object access control files of the plurality of sets of data object access control files is associated with the logical memory access control file, wherein a data object access control file of the set of data object access control files includes a list of data access restrictions for one or more users of the list of users of the logical memory access control file;
from the hierarchical data access control information, obtaining one of the plurality of logical memory access control files based on the user identifier;
determining, from the one of the plurality of logical memory access control files, whether the data access request type is within corresponding access rights of the user device;
when the data access request type is within the corresponding access rights of the user device, obtaining a corresponding data object access control file from a corresponding set of data object access files of the plurality of sets of data object access control files based on the data object identifier;
determining, from the corresponding data object access control file, whether the data access request type is restricted; and
when the data access request type is not restricted, processing the data access request.
5 Assignments
0 Petitions
Accused Products
Abstract
A method begins by a dispersed storage (DS) processing module receiving, from a user device, a data access request and accessing hierarchical data access control information. The method continues with the DS processing module obtaining a logical memory access control file from the hierarchical data access control information and determining a data access request type of the request is within access rights of the user device. When the data access request type is within the access rights of the user device, the method continues with the DS processing module obtaining a data object access control file from the hierarchical data access control information. The method continues with the DS processing module determining, from the data object access control file, whether the data access request type is restricted. When the data access request type is not restricted, the method continues with the DS processing module processing the data access request.
-
Citations
22 Claims
-
1. A method for execution by one or more processing modules of one or more computing devices, the method comprises:
-
in response to a data access request that includes a data access request type, a data object identifier of a data object, and a user identifier of a user of a user device, accessing hierarchical data access control information that includes; a plurality of logical memory access control files, wherein a logical memory access control file of the plurality of logical memory access control files includes a list of users that have access to a particular logical memory space and a list of corresponding access rights to data stored within the particular logical memory space; and a plurality of sets of data object access control files, wherein a set of data object access control files of the plurality of sets of data object access control files is associated with the logical memory access control file, wherein a data object access control file of the set of data object access control files includes a list of data access restrictions for one or more users of the list of users of the logical memory access control file; from the hierarchical data access control information, obtaining one of the plurality of logical memory access control files based on the user identifier; determining, from the one of the plurality of logical memory access control files, whether the data access request type is within corresponding access rights of the user device; when the data access request type is within the corresponding access rights of the user device, obtaining a corresponding data object access control file from a corresponding set of data object access files of the plurality of sets of data object access control files based on the data object identifier; determining, from the corresponding data object access control file, whether the data access request type is restricted; and when the data access request type is not restricted, processing the data access request. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for execution by one or more processing modules of one or more computing devices for maintaining access control information for data storage in network memory, the method comprises:
-
interpreting a data access request to determine whether a data object corresponding to a data object identifier of the data access request is stored in the network memory, wherein the data access request includes a data access request type, the data object identifier, and a user identifier of a user of a user device; when the data object corresponding to the data object identifier is not stored in the network memory, accessing, based on the user identifier, hierarchical data access control information to retrieve a logical memory access control file of a plurality of logical memory access control files, wherein the logical memory access control file includes a list of users that have access to a particular logical memory space of the network memory and a list of corresponding access rights to data stored within the particular logical memory space; determining, based on the logical memory access control file, whether the user device has corresponding access rights to initially write the data object into the particular logical memory space; and when the user device has the corresponding access rights to initially write the data object into the particular logical memory space; creating a data object access control file for the data object, wherein the data object access control file includes a list of data access restrictions for one or more users of the list of users of the logical memory access control file; and linking the data object access control file to the logical memory access control file. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A dispersed storage (DS) module comprises:
-
a first module, when operable within a computing device, causes the computing device to; in response to a data access request that includes a data access request type, a data object identifier of a data object, and a user identifier of a user of a user device, access hierarchical data access control information that includes; a plurality of logical memory access control files, wherein a logical memory access control file of the plurality of logical memory access control files includes a list of users that have access to a particular logical memory space and a list of corresponding access rights to data stored within the particular logical memory space; and a plurality of sets of data object access control files, wherein a set of data object access control files of the plurality of sets of data object access control files is associated with the logical memory access control file, wherein a data object access control file of the set of data object access control files includes a list of data access restrictions for one or more users of the list of users of the logical memory access control file; a second module, when operable within the computing device, causes the computing device to; from the hierarchical data access control information, obtain one of the plurality of logical memory access control files based on the user identifier; determine, from the one of the plurality of logical memory access control files, whether the data access request type is within the corresponding access rights of the user device; when the data access request type is within the corresponding access rights of the user device, obtain a corresponding data object access control file from a corresponding set of data object access files of the plurality of sets of data object access control files based on the data object identifier; and determine, from the corresponding data object access control file, whether the data access request type is restricted; and a third module, when operable within the computing device, causes the computing device to; when the data access request type is not restricted, process the data access request. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A dispersed storage (DS) module comprises:
-
a first module, when operable within a computing device, causes the computing device to; interpret a data access request to determine whether a data object corresponding to a data object identifier of the data access request is stored in a network memory, wherein the data access request includes a data access request type, the data object identifier, and a user identifier of a user of a user device; and when the data object corresponding to the data object identifier is not stored in the network memory, access, based on the user identifier, hierarchical data access control information to retrieve a logical memory access control file of a plurality of logical memory access control files, wherein the logical memory access control file includes a list of users that have access to a particular logical memory space of the network memory and a list of corresponding access rights to data stored within the particular logical memory space; and a second module, when operable within the computing device, causes the computing device to; determine, based on the logical memory access control file, whether the user device has corresponding access rights to initially write the data object into the particular logical memory space; and when the user device has the corresponding access rights to initially write the data object into the particular logical memory space; create a data object access control file for the data object, wherein the data object access control file includes a list of data access restrictions for one or more users of the list of users of the logical memory access control file; and link the data object access control file to the logical memory access control file. - View Dependent Claims (18, 19, 20, 21, 22)
-
Specification