File access control in a multi-protocol file server

US 6,457,130 B2
Filed: 03/03/1998
Issued: 09/24/2002
Est. Priority Date: 03/03/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of operating a file server, said method including steps foridentifying a first file on said file server with a first security style selected from among a plurality of security styles;

and enforcing said first security style for all accesses to said file server;

wherein said steps for enforcing include steps for recognizing a first set of permissions associated with said first file in said first security style;

defining a first user type associated with said firsts security style;

translating a user from a second user type associated with a second security style into said first user type; and

enforcing a file server request from said second user type using said first user type and said first set of permissions.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a method and system for enforcing file access control among client devices using multiple diverse access control models and multiple diverse file server protocols. A multi-protocol file server identifies each file with one particular access control model out of a plurality of possible models, and enforces that one particular model for all accesses to that file. When the file server receives a file server request for that file using a different access control model, the file server translates the access control limits for that file into no-less-restrictive limits in the different model. The file server restricts access by the client device using the translated access control limits. Each file is assigned the access control model of the user who created the file or who last set access control limits for the file. When a user having a different access control model sets access control limits, the access control model for the file is changed to the new model. Files are organized in a tree hierarchy, in which each tree is limited to one or more access control models (which can limit the ability of users to set access control limits for files in that tree). Each tree can be limited to NT-model-only format, Unix-model-only format, or mixed NT-or-Unix-models format.

Citations

60 Claims

1. A method of operating a file server, said method including steps foridentifying a first file on said file server with a first security style selected from among a plurality of security styles;
- and enforcing said first security style for all accesses to said file server;
  
  wherein said steps for enforcing include steps for recognizing a first set of permissions associated with said first file in said first security style;
  
  defining a first user type associated with said firsts security style;
  
  translating a user from a second user type associated with a second security style into said first user type; and
  
  enforcing a file server request from said second user type using said first user type and said first set of permissions.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method as in claim 1, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time of said steps for enforcing.
  - 3. A method as in claim 1, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time said access control limits are set.
  - 4. A method as in claim 1, further comprising the step of caching the translation.
  - 5. A method as in claim 4, wherein the steps for recognizing, defining, translating and caching can be performed statically at a time that said access control limits are either set of reset.

6. A method of operating a file server, said method including steps foridentifying a first file on said file server with a first security style selected from among a plurality of security styles corresponding to a plurality of operating systems implemented on said file server;
- and enforcing said first security style for all accesses to said first file;
  
  wherein said steps for enforcing include steps for translating a first set of permissions associated with said first file in said first security style to a second set of permissions in a second security style, wherein said second set of permissions is no less restrictive that said first set of permissions; and
  
  enforcing a file server request in said second security style using said second set of permissions.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. A method as in claim 6, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time of said steps for enforcing.
  - 8. A method as in claim 6, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time said access control limits are set.
  - 9. A method as in claim 6, further comprising steps for caching the translation.
  - 10. A method as in claim 9, wherein steps for translating are performed dynamically and occur approximately when the steps for enforcing take place.
  - 11. A method as in claim 9, wherein said steps for translating are performed statically and occur approximately when said access control limits are set or reset.

12. A method of operating a file server, said method including steps foridentifying a first file on said file server with a first security style selected from among a plurality of security styles corresponding to a plurality of operating systems;
- enforcing said first security style for all accesses to said file server; and
  
  identifying said first file with a second security style selected from among the plurality of security styles in response to a file server request;
  
  wherein said steps for identifying include steps for translating a first set of permissions associated with said first file in said first security style to a second set of permissions in said second security style, wherein said second set of permissions is no less restrictive than said first set of permissions.
- View Dependent Claims (13, 14)
- - 13. A method as in claim 12, wherein the steps for translating include mapping NT access control limits into a no less restrictive set of Unix Perms.
  - 14. A method as in claim 12, wherein the steps for translating include mapping a set of Unix Perms into a set of no less restrictive NT access control limits.

15. A file server includinga set of files available on said file server, each said file having an associated security style selected from among a plurality of security styles corresponding to a plurality of operating systems available on said file server;
- wherein said file server enforces said associated security style for all accesses to said file;
  
  wherein said file server is capable of altering the security style associated with said file in response to a file server request; and
  
  wherein said file server is capable of translating a first set of permissions associated with said file in a first security style to a second set of permissions in a second security style, wherein said second set of permissions is no less restrictive than said first set of permissions.

16. A file server comprisinginterfaces to one or more client devices;
- a file system;
  
  a processor operating under program control to cause the file server to perform file server operations on the file system and to communicate with the client devices; and
  
  storage for the program control, the program control comprising steps for (a) identifying a first file on said file server with a first security style selected from among a plurality of security styles, and (b) enforcing said first security style for all accesses to said file server, wherein said steps for enforcing include steps for (c) recognizing a first set of permissions associated with said first file in said first security style, (d) defining a first user type associated with said firsts security style, (e) translating a user from a second user type associated with a second security style into said first user type, and (f) enforcing a file server request from said second user type using said first user type and said first set of permissions.
- View Dependent Claims (17, 18, 19, 20)
- - 17. A file server as in claim 16, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time of said steps for enforcing.
  - 18. A file server as in claim 16, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time said access control limits are set.
  - 19. A file server as in claim 16, wherein the program control further comprises steps for caching the translation.
  - 20. A file server as in claim 19, wherein the steps for recognizing, defining, translating and caching can be performed statically at a time that said access control limits are either set of reset.

21. A file server comprisinginterfaces to one or more client devices;
- a file system;
  
  a processor operating under program control to cause the file server to perform file server operations on the file system and to communicate with the client devices; and
  
  storage for the program control, the program control comprising steps for (a) identifying a first file on said file server with a first security style selected from among a plurality of security styles corresponding to a plurality of operating systems implemented on said file server, and (b) enforcing said first security style for all accesses to said first file, wherein said steps for enforcing include steps for (c) translating a first set of permissions associated with said first file in said first security style to a second set of permissions in a second security style, wherein said second set of permissions is no less restrictive that said first set of permissions, and (d) enforcing a file server request in said second security style using said second set of permissions.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. A file server as in claim 21, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time of said steps for enforcing.
  - 23. A file server as in claim 21, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time said access control limits are set.
  - 24. A filer server as in claim 21, wherein the program control further comprises steps for caching the translation.
  - 25. A file server as in claim 24, wherein steps for translating are performed dynamically and occur approximately when the steps for enforcing take place.
  - 26. A file server as in claim 24, wherein said steps for translating are performed statically and occur approximately when said access control limits are set or reset.

27. A file server comprisinginterfaces to one or more client devices;
- a file system;
  
  a processor operating under program control to cause the file server to perform file server operations on the file system and to communicate with the client devices; and
  
  storage for the program control, the program control comprising steps for (a) identifying a first file on said file server with a first security style selected from among a plurality of security styles corresponding to a plurality of operating systems, (b) enforcing said first security style for all accesses to said file server, and (c) identifying said first file with a second security style selected from among the plurality of security styles in response to a file server request, wherein said steps for identifying include steps for translating a first set of permissions associated with said first file in said first security style to a second set of permissions in said second security style, and wherein said second set of permissions is no less restrictive than said first set of permissions.
- View Dependent Claims (28, 29)
- - 28. A file server as in claim 27, wherein the steps for translating include mapping NT access control limits into a no less restrictive set of Unix Perms.
  - 29. A file server as in claim 27, wherein the steps for translating include mapping a set of Unix Perms into a set of no less restrictive NT access control limits.

30. Storage for instructions, the instructions executable by a processor to perform file server operations, the instructions comprising steps foridentifying a first file on said file server with a first security style selected from among a plurality of security styles;
- and enforcing said first security style for all accesses to said file server;
  
  wherein said steps for enforcing include steps for recognizing a first set of permissions associated with said first file in said first security style;
  
  defining a first user type associated with said firsts security style;
  
  translating a user from a second user type associated with a second security style into said first user type; and
  
  enforcing a file server request from said second user type using said first user type and said first set of permissions.
- View Dependent Claims (31, 32, 33, 34)
- - 31. Storage as in claim 30, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time of said steps for enforcing.
  - 32. Storage as in claim 30, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time said access control limits are set.
  - 33. Storage as in claim 30, wherein the program control further comprises steps for caching the translation.
  - 34. Storage as in claim 33, wherein the steps for recognizing, defining, translating and caching can be performed statically at a time that said access control limits are either set of reset.

35. Storage for instructions, the instructions executable by a processor to perform file server operations, the instructions comprising steps foridentifying a first file on said file server with a first security style selected from among a plurality of security styles corresponding to a plurality of operating systems implemented on said file server;
- and enforcing said first security style for all accesses to said first file;
  
  wherein said steps for enforcing include steps for translating a first set of permissions associated with said first file in said first security style to a second set of permissions in a second security style, wherein said second set of permissions is no less restrictive that said first set of permissions; and
  
  enforcing a file server request in said second security style using said second set of permissions.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. Storage as in claim 35, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time of said steps for enforcing.
  - 37. Storage as in claim 35, wherein said steps for translating are performed with regard to access control limits applicable to said first file at a time said access control limits are set.
  - 38. Storage as in claim 35, wherein the instructions further comprises steps for caching the translation.
  - 39. Storage as in claim 38, wherein steps for translating are performed dynamically and occur approximately when the steps for enforcing take place.
  - 40. Storage as in claim 38, wherein said steps for translating are performed statically and occur approximately when said access control limits are set or reset.

41. Storage for instructions, the instructions executable by a processor to perform file server operations, the instructions comprising steps foridentifying a first file on said file server with a first security style selected from among a plurality of security styles corresponding to a plurality of operating systems;
- enforcing said first security style for all accesses to said file server; and
  
  identifying said first file with a second security style selected from among the plurality of security styles in response to a file server request;
  
  wherein said steps for identifying include steps for translating a first set of permissions associated with said first file in said first security style to a second set of permissions in said second security style; and
  
  wherein said second set of permissions is no less restrictive than said first set of permissions.
- View Dependent Claims (42, 43)
- - 42. Storage as in claim 41, wherein the steps for translating include mapping NT access control limits into a no less restrictive set of Unix Perms.
  - 43. Storage as in claim 41, wherein the steps for translating include mapping a set of Unix Perms into a set of no less restrictive NT access control limits.

44. A method of operating a file server, said method including steps ofidentifying a first file on said file server with a first security style selected from among a plurality of security styles;
- and enforcing said first security style for all accesses to said file server;
  
  wherein said steps of enforcing include steps of recognizing a first set of permissions associated with said first file in said first security style;
  
  defining a first user type associated with said firsts security style;
  
  translating a user from a second user type associated with a second security style into said first user type; and
  
  enforcing a file server request from said second user type using said first user type and said first set of permissions.
- View Dependent Claims (45, 46, 47, 48)
- - 45. A method as in claim 44, wherein said steps of translating are performed with regard to access control limits applicable to said first file at a time of said steps of enforcing.
  - 46. A method as in claim 44, wherein said steps of translating are performed with regard to access control limits applicable to said first file at a time said access control limits are set.
  - 47. A method as in claim 44, further comprising the step of caching the translation.
  - 48. A method as in claim 47, wherein the steps of recognizing, defining, translating and caching can be performed statically at a time that said access control limits are either set of reset.

49. A method of operating a file server, said method including steps ofidentifying a first file on said file server with a first security style selected from among a plurality of security styles corresponding to a plurality of operating systems implemented on said file server;
- and enforcing said first security style for all accesses to said first file;
  
  wherein said steps of enforcing include steps of translating a first set of permissions associated with said first file in said first security style to a second set of permissions in a second security style, wherein said second set of permissions is no less restrictive that said first set of permissions; and
  
  enforcing a file server request in said second security style using said second set of permissions.
- View Dependent Claims (50, 51, 52, 53, 54)
- - 50. A method as in claim 49, wherein said steps of translating are performed with regard to access control limits applicable to said first file at a time of said steps of enforcing.
  - 51. A method as in claim 49, wherein said steps of translating are performed with regard to access control limits applicable to said first file at a time said access control limits are set.
  - 52. A method as in claim 49, further comprising steps of caching the translation.
  - 53. A method as in claim 52, wherein steps of translating are performed dynamically and occur approximately when the steps of enforcing take place.
  - 54. A method as in claim 52, wherein said steps of translating are performed statically and occur approximately when said access control limits are set or reset.

55. A method of operating a file server, said method including steps ofidentifying a first file on said file server with a first security style selected from among a plurality of security styles corresponding to a plurality of operating systems;
- enforcing said first security style for all accesses to said file server; and
  
  identifying said first file with a second security style selected from among the plurality of security styles in response to a file server request;
  
  wherein said steps of identifying include steps of translating a first set of permissions associated with said first file in said first security style to a second set of permissions in said second security style, wherein said second'"'"'set of permissions is no less restrictive than said first set of permissions.
- View Dependent Claims (56, 57)
- - 56. A method as in claim 55, wherein the steps of translating include mapping NT access control limits into a no less restrictive set of Unix Perms.
  - 57. A method as in claim 55, wherein the steps of translating include mapping a set of Unix Perms into a set of no less restrictive NT access control limits.

58. A file server comprisingmeans for identifying a first file on said file server with a first security style selected from among a plurality of security styles;
- and means for enforcing said first security style for all accesses to said file server;
  
  wherein said means for enforcing include means for recognizing a first set of permissions associated with said first file in said first security style;
  
  means for defining a first user type associated with said firsts security style;
  
  means for translating a user from a second user type associated with a second security style into said first user type; and
  
  means for enforcing a file server request from said second user type using said first user type and said first set of permissions.

59. A file server comprisingmeans for identifying a first file on said file server with a first security style selected from among a plurality of security styles corresponding to a plurality of operating systems implemented on said file server;
- and means for enforcing said first security style for all accesses to said first file;
  
  wherein said means for enforcing include means for translating a first set of permissions associated with said first file in said first security style to a second set of permissions in a second security style, wherein said second set of permissions is no less restrictive that said first set of permissions; and
  
  means for enforcing a file server request in said second security style using said second set of permissions.

60. A file server comprisingmeans for identifying a first file on said file server with a first security style selected from among a plurality of security styles corresponding to a plurality of operating systems;
- means for enforcing said first security style for all accesses to said file server; and
  
  means for identifying said first file with a second security style selected from among the plurality of security styles in response to a file server request;
  
  wherein said means for identifying include means for translating a first set of permissions associated with said first file in said first security style to a second set of permissions in said second security style, wherein said second set of permissions is no less restrictive than said first set of permissions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
Network Appliance Incorporated (NetApp, Inc.)
Inventors
Hawley, Robert J., Pearson, Joan, Hitz, David, Muhlestein, Mark, Borr, Andrea
Primary Examiner(s)
Iqbal, Nadeem

Application Number

US09/035,234
Publication Number

US 20010039622A1
Time in Patent Office

1,666 Days
Field of Search

713/201, 713/200, 713/202, 714/38, 714/39, 714/47, 340/825.31, 340/825.34, 395/609, 395/610, 395/600, 380/25, 380/49, 380/4, 380/23, 711/163, 711/164
US Class Current

726/27
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/6218   to a system of files or obj...

G06F 21/6236   between heterogeneous systems

G06F 2221/2141   Access rights, e.g. capabil...

File access control in a multi-protocol file server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

File access control in a multi-protocol file server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links