Hierarchy-aware role-based access control
First Claim
Patent Images
1. A method comprising:
- authenticating a user of a client when the user logs on to a storage management system;
upon successfully authenticating the user, determining a set of roles of the user and capabilities of the user in each of the determined roles, and caching the determined roles and capabilities of the user in a cache coupled to an access permission database;
receiving a request from the user to perform a first operation from a plurality of operations on a first resource from a plurality of storage system resources, wherein the storage system resources are organized as a hierarchy of containers and include at least a volume and an aggregate; and
performing an RBAC (Role-Based Access Control) access check to resolve the request using entries stored in the cache, wherein performing the RBAC access check further comprises;
identifying the entries in the cache having a role parameter matching one of the determined roles of the user and an operation parameter matching the first operation;
determining whether at least one of the identified entries has a resource parameter that matches the first resource or matches a parent resource of the first resource, wherein the parent resource is a container within which the first resource is located; and
upon determination that a match of the first resource or a match of the parent resource exists, granting access permission to the user of the client to perform the first operation on the first resource.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, apparatus, and system are described herein, in which system resources and operations are assigned to roles in a role-based access control system, and the roles are assigned to a plurality of users. An RBAC system is used to resolve the client request to perform an operation on a resource, the RBAC system using a hierarchy of the plurality of resources to determine if a user is permitted to perform the operation on a parent of the resource in the hierarchy of resources. The RBAC system also determines if a user is permitted to perform the operation on the resource if a user group to which the user belongs to has the required access.
-
Citations
16 Claims
-
1. A method comprising:
-
authenticating a user of a client when the user logs on to a storage management system; upon successfully authenticating the user, determining a set of roles of the user and capabilities of the user in each of the determined roles, and caching the determined roles and capabilities of the user in a cache coupled to an access permission database; receiving a request from the user to perform a first operation from a plurality of operations on a first resource from a plurality of storage system resources, wherein the storage system resources are organized as a hierarchy of containers and include at least a volume and an aggregate; and performing an RBAC (Role-Based Access Control) access check to resolve the request using entries stored in the cache, wherein performing the RBAC access check further comprises; identifying the entries in the cache having a role parameter matching one of the determined roles of the user and an operation parameter matching the first operation; determining whether at least one of the identified entries has a resource parameter that matches the first resource or matches a parent resource of the first resource, wherein the parent resource is a container within which the first resource is located; and upon determination that a match of the first resource or a match of the parent resource exists, granting access permission to the user of the client to perform the first operation on the first resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A processing system comprising:
-
a processor; a network interface through which to communicate with a plurality of storage devices resources over a network; and a storage facility storing; the plurality of storage device resources, which are organized as a hierarchy of containers and include at least a volume and an aggregate, an access permission database, a cache coupled to the access permission database, the cache being adapted to cache a set of roles of a user of a client and capabilities of the user in each of the roles when the user logs on to the processing system and is successfully authenticated; and an RBAC (Role-Based Access Control) module, for execution by the processor, to; identify entries from the cache in response to a request from the user, each of the identified entries having a role parameter matching one of the roles of the user, and each of the identified entries having an operation parameter matching a requested operation specified in the request, determine whether a resource parameter of any of the identified entries matches a requested resource of the storage device resources or matches a parent resource of the requested resource, wherein the parent resource is a container within which the requested resource is located, and upon determination that a match of the requested resource or a match of the parent resource exists, grant permission to the user to perform the requested operation on the requested resource. - View Dependent Claims (10, 11, 12)
-
-
13. A method comprising:
-
authenticating a user of a client when the user logs on to a network server; upon successfully authenticating the user, determining a set of roles of the user and capabilities of the user in each of the determined roles, and caching the determined roles and capabilities of the user in a cache coupled to an access permission database, wherein the network server provides a role-based access control (RBAC) system adapted to assign storage system resources and operations to a plurality of roles, assign the plurality of roles to a plurality of users, and perform an RBAC access check to resolve a request from the user using entries stored in the cache, wherein the storage system resources are organized as a hierarchy of containers and include at least a volume and an aggregate, and wherein performing the RBAC access check comprises; identifying, from the cache, entries having a role parameter matching one of the determined roles of the user, and having a operation parameter matching a requested operation specified in the request; determining whether a resource parameter of any of the identified entries matches a requested resource of the storage system resources or a parent resource of the requested resource, wherein the parent resource is a container within which the requested resource is located; and upon determination that a match of the requested resource or a match of the parent resource exists, granting access permission to the user to perform the requested operation on the requested resource. - View Dependent Claims (14, 15, 16)
-
Specification