System for controlling access to resources in a storage area network

US 6,968,463 B2
Filed: 01/17/2001
Issued: 11/22/2005
Est. Priority Date: 01/17/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for implementing security management in a storage area network including at least one storage resource user, an data storage RAID controller, and a data storage array coupled to the controller, the method comprising the steps of:

granting access to data storage areas on disks in the storage array to specific storage resource users of the at least one storage resource user;

storing, in a table of approved entities in non-volatile memory in the controller, indicia of data storage areas on disks in the storage array accessible to any storage resource user that has been granted access to data storage areas on disks in the storage array;

storing, in a table of not-yet-approved entities in volatile memory in the controller, indicia of any of the at least one storage resource user that have not been granted access to data storage areas on disks in the storage array;

requesting access to the areas by sending at least the identifying indicia from the storage resource user to the resource provider; and

examining the table of approved entities for the identifying indicia to determine whether any of the data storage areas are available to the requesting storage resource user;

wherein, if the data storage areas are determined to be available to the storage resource user requesting access to the data storage areas, then allowing the storage resource user to access the data storage areas;

otherwise, if no the data storage areas are determined to be available to the requesting storage resource user, then storing the identifying indicia in the table of not-yet-approved entities;

uploading the table of not-yet-approved entities from the controller;

selecting the identifying indicia corresponding to a storage resource user, from the table of not-yet-approved entities;

selecting, from the list of available data storage areas, the data storage areas to be made available to the storage resource user;

sending association information to the controller, the association information including a list of the data storage areas to be made available to the storage resource user and the identifying indicia corresponding to a storage resource user; and

allocating, to the storage resource user, the data storage areas included in the association information.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for implementing security management in a storage area network by controlling access to network resources. Initially, a resource provider communicates with potential resource users, such as host computers, servers, and workstations, to allow the users to discover the resources available on the storage area network. Resource users that have not previously logged in to a particular resource supply identification information to the resource provider, which places the information in a ‘not yet approved entity’ table. The ‘not yet approved entity’ table is made available to a management station. An administrator, using the management station, then determines whether to authorize use of resources. If access to the requested resource is allowed, the resource user identification information is stored in an ‘approved entity’ table. A login is then allowed by the resource user to the selected resource. Once a resource user has initially logged in, connection information is maintained in the ‘approved entity’ table facilitating subsequent log-in attempts by the resource user.

68 Citations

View as Search Results

6 Claims

1. A method for implementing security management in a storage area network including at least one storage resource user, an data storage RAID controller, and a data storage array coupled to the controller, the method comprising the steps of:
- granting access to data storage areas on disks in the storage array to specific storage resource users of the at least one storage resource user;
  
  storing, in a table of approved entities in non-volatile memory in the controller, indicia of data storage areas on disks in the storage array accessible to any storage resource user that has been granted access to data storage areas on disks in the storage array;
  
  storing, in a table of not-yet-approved entities in volatile memory in the controller, indicia of any of the at least one storage resource user that have not been granted access to data storage areas on disks in the storage array;
  
  requesting access to the areas by sending at least the identifying indicia from the storage resource user to the resource provider; and
  
  examining the table of approved entities for the identifying indicia to determine whether any of the data storage areas are available to the requesting storage resource user;
  
  wherein, if the data storage areas are determined to be available to the storage resource user requesting access to the data storage areas, then allowing the storage resource user to access the data storage areas;
  
  otherwise, if no the data storage areas are determined to be available to the requesting storage resource user, then storing the identifying indicia in the table of not-yet-approved entities;
  
  uploading the table of not-yet-approved entities from the controller;
  
  selecting the identifying indicia corresponding to a storage resource user, from the table of not-yet-approved entities;
  
  selecting, from the list of available data storage areas, the data storage areas to be made available to the storage resource user;
  
  sending association information to the controller, the association information including a list of the data storage areas to be made available to the storage resource user and the identifying indicia corresponding to a storage resource user; and
  
  allocating, to the storage resource user, the data storage areas included in the association information.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the indicia comprise the node World Wide Name and port World Wide Name for the storage resource user.
  - 3. The method of claim 1, including the step of providing notification to the storage resource user that a resource is available on the storage area network.
  - 4. The method of claim 1, wherein the data storage areas comprise logical units.
  - 5. The method of claim 4, including storing the data storage areas to be made available to the storage resource user in a LUN access map in the table of approved entities.
  - 6. The method of claim 5, wherein each command received from the storage resource user is checked by the controller against the LUN access map for authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Walker, Michael Dean, Shen, Diana, Pherson, James E., Guttormson, Paul D.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Sherkat, Arezoo

Application Number

US09/761,938
Publication Number

US 20020095602A1
Time in Patent Office

1,770 Days
Field of Search

711/114, 711/167, 711163-164, 709/229, 713182-185, 713/201, 707/9
US Class Current

726/3
CPC Class Codes

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

System for controlling access to resources in a storage area network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

6 Claims

Specification

Use Cases

Quick Links

Others

System for controlling access to resources in a storage area network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

6 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others