Distributed data structures for authorization and access control for computing resources
First Claim
Patent Images
1. An information storage management system in a first administrative domain administered by a first organization, comprising:
- a collection of stored objects in the first administrative domain administered by the first organization;
an access control unit in the first administrative domain administered by the first organization for determining if a requester is authorized to access a protected object stored in the collection in the first administrative domain administered by the first organization;
a resource manager connected to the access control unit and to a communications channel;
wherein the resource manager receives a user'"'"'s request for access to the protected object in the first administrative domain administered by the first organization, the request including a globally unique identifier for the user requesting the access, and in response to the user'"'"'s request, the resource manager sends over the communications channel to an external storage management system in a second administrative domain administered by a second organization that is different from the first organization, a resource manager request for information about the user, the resource manager request including the globally unique identifier; and
wherein the resource manager upon receiving a response to the resource manager request from the external storage management system passes the user information to the access control unit in the first administrative domain administered by the first organization; and
wherein responsive to the user information the access control unit determines whether to authorize the user for access to the protected object.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention relates to using a universally unique identifier in a database to uniquely identify, both within and outside of the database system, a user. A storage system, according to the invention, includes a first storage area having an object stored therein; and a second storage area having stored therein an object identifier that identifies the object. The object identifier is unique within and outside of the storage system, and can be a Universal Unique Identifier (UUID). The invention also relates methods for storing and retrieving objects identified based on the unique identifier.
-
Citations
7 Claims
-
1. An information storage management system in a first administrative domain administered by a first organization, comprising:
-
a collection of stored objects in the first administrative domain administered by the first organization; an access control unit in the first administrative domain administered by the first organization for determining if a requester is authorized to access a protected object stored in the collection in the first administrative domain administered by the first organization; a resource manager connected to the access control unit and to a communications channel; wherein the resource manager receives a user'"'"'s request for access to the protected object in the first administrative domain administered by the first organization, the request including a globally unique identifier for the user requesting the access, and in response to the user'"'"'s request, the resource manager sends over the communications channel to an external storage management system in a second administrative domain administered by a second organization that is different from the first organization, a resource manager request for information about the user, the resource manager request including the globally unique identifier; and wherein the resource manager upon receiving a response to the resource manager request from the external storage management system passes the user information to the access control unit in the first administrative domain administered by the first organization; and wherein responsive to the user information the access control unit determines whether to authorize the user for access to the protected object. - View Dependent Claims (2, 3)
-
-
4. An information storage management system in a first administrative domain administered by a first organization, comprising:
-
a collection of stored objects in the first administrative domain administered by the first organization; an access control unit in the first administrative domain administered by the first organization for determining if a requestor is authorized to access a protected object stored in the collection in the first administrative domain administered by the first organization; a resource manager connected to the access control unit and to a communications channel; wherein the resource manager receives a user'"'"'s request for access to the protected object in the first administrative domain administered by the first organization, the request including a globally unique identifier for the user requesting the access, and in response to the user'"'"'s request the resource manager resolves the globally unique identifier to a user identifier recognized by an external storage management system in a second administrative domain administered by a second organization that is different from the first organization, the resource manager sending to the external storage management system a resource manager request for information about the user, the resource manager request including the resolved user identifier; and wherein the resource manager upon receiving a response to the resource manager request from the external storage management system passes the user information to the access control unit in the first administrative domain administered by the first organization; and wherein responsive to the user information the access control unit determines whether to authorize the user for access to the protected object. - View Dependent Claims (5, 6, 7)
-
Specification