Method and apparatus for managing access to storage devices in a storage system with access control
First Claim
1. A method for managing access to a storage system by a plurality of devices that are coupled to the storage system via a network, the method including acts of:
- (a) in response to a non-media access request by a first of the plurality of devices to a logical device at the storage system for which the first device has no data access privileges, determining, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the logical device;
(b) authorizing the non-media access request when it is determined in the act (a) that the first device is authorized to have non-media access to the logical device;
wherein the act (a) includes an act of, in response to the non-media access request by the first device to a logical volume of data at the storage system for which the first device has no data access privileges, determining whether the first device is authorized to have non-media access to the logical volume;
wherein the act (b) includes an act of authorizing the non-media access request when it is determined in the act (a) that the first device is authorized to have non-media access to the logical volume; and
wherein the acts (a) and (b) are performed outside of the storage system.
8 Assignments
0 Petitions
Accused Products
Abstract
A storage system is provided that includes a plurality of storage devices and a data structure, accessible to the storage system, that includes a plurality of records corresponding to a plurality of network devices that are coupled to the storage system. Each record includes configuration data that identifies each of the plurality of storage devices to which data access by a respective one of the plurality of network devices is authorized. Each record may further include visibility data that identifies whether certain types of non-data access, such as requests for general information relating to a respective storage device, by a respective one of the plurality of network devices is permitted, even though data access to the respective storage device by the respective one of the plurality of network devices is not authorized.
-
Citations
52 Claims
-
1. A method for managing access to a storage system by a plurality of devices that are coupled to the storage system via a network, the method including acts of:
-
(a) in response to a non-media access request by a first of the plurality of devices to a logical device at the storage system for which the first device has no data access privileges, determining, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the logical device; (b) authorizing the non-media access request when it is determined in the act (a) that the first device is authorized to have non-media access to the logical device; wherein the act (a) includes an act of, in response to the non-media access request by the first device to a logical volume of data at the storage system for which the first device has no data access privileges, determining whether the first device is authorized to have non-media access to the logical volume; wherein the act (b) includes an act of authorizing the non-media access request when it is determined in the act (a) that the first device is authorized to have non-media access to the logical volume; and wherein the acts (a) and (b) are performed outside of the storage system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for managing access to a storage system by a plurality of devices that are coupled to the storage system via a network, the storage system including a plurality of logical volumes of data, the method including acts of:
-
(a) maintaining, in a data structure that is accessible to a filter that controls access to each of the plurality of logical volumes, configuration information identifying each logical volume of the plurality of logical volumes to which data access by a first device of the plurality of devices is authorized; (b) in response to a non-media access request by the first device to a first logical volume for which the first device has no data access privileges, determining, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the first logical volume; and (c) authorizing the non-media access request when it is determined in the act (b) that the first device is authorized to have non-media access to the first logical volume; wherein the filter is outside of the storage system, and wherein the acts (a), (b), and (c) are performed outside of the storage system. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An apparatus for use in a computer system including a plurality of devices, a storage system, and a network that couples the plurality of devices to the storage system, the apparatus comprising:
-
an input to be coupled to the network; and at least one filter, coupled to the input, that is responsive to a non-media access request by a first of the plurality of devices to a logical device at the storage system for which the first device has no data access privileges, to determine, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the logical device, and to authorize the non-media access request when it is determined that the first device is authorized to have non-media access to the logical device'"'"' wherein the logical device is a logical volume of data stored at the storage system; and wherein in response to the non media access request by the first device to the logical volume of data at the storage system for which the first device has no data access privileges, the at least one filter determines whether the first device is authorized to have non-media access to the logical volume, and authorizes the non media access request when it is determined that the first device is authorized to have non-media access to the logical volume; and wherein the at least one filter and the input each is disposed outside of the storage system. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. An apparatus for use in a computer system including a plurality of devices, a storage system, and a network that couples the plurality of devices to the storage system, the apparatus comprising:
-
an input to be coupled to the network; a data structure that stores configuration information identifying each logical volume of data of a plurality of logical volumes of data stored on the storage system to which data access by a first device of the plurality of devices is authorized; and at least one filter, coupled to the input, that is responsive to a non-media access request by the first device to a first logical volume of data of the plurality of logical volumes of data for which the first device has no data access privileges, to determine, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the first logical volume of data, and to authorize the non-media access request when it is determined that the first device is authorized to have non-media access to the first logical volume of data; wherein the at least one filter, the data structure, and the input each is disposed outside of the storage system. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. An apparatus for use in a computer system including a plurality of devices, a storage system, and a network that couples the plurality of devices to the storage system, the apparatus comprising:
-
an input to be coupled to the network; a data structure that stores configuration information identifying each logical volume of data of a plurality of logical volumes of data stored on the storage system to which data access by a first device of the plurality of devices is authorized; and at least one filter, coupled to the input, that is responsive to a non-media access request by the first device to a first logical volume of data of the plurality of logical volumes of data for which the first device has no data access privileges, to determine, based, at least in part, on an identity of the first device, whether the first device is authorized to have non-media access to the first logical volume of data, and to authorize the non-media access request when it is determined that the first device is authorized to have non-media access to the first logical volume of data; wherein the at least one filter and the input each is disposed within the storage system, and wherein the data structure is disposed outside of the storage system. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52)
-
Specification