Hierarchy-aware role-based access control

US 8,402,514 B1
Filed: 11/17/2006
Issued: 03/19/2013
Est. Priority Date: 11/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

authenticating a user of a client when the user logs on to a storage management system;

upon successfully authenticating the user, determining a set of roles of the user and capabilities of the user in each of the determined roles, and caching the determined roles and capabilities of the user in a cache coupled to an access permission database;

receiving a request from the user to perform a first operation from a plurality of operations on a first resource from a plurality of storage system resources, wherein the storage system resources are organized as a hierarchy of containers and include at least a volume and an aggregate; and

performing an RBAC (Role-Based Access Control) access check to resolve the request using entries stored in the cache, wherein performing the RBAC access check further comprises;

identifying the entries in the cache having a role parameter matching one of the determined roles of the user and an operation parameter matching the first operation;

determining whether at least one of the identified entries has a resource parameter that matches the first resource or matches a parent resource of the first resource, wherein the parent resource is a container within which the first resource is located; and

upon determination that a match of the first resource or a match of the parent resource exists, granting access permission to the user of the client to perform the first operation on the first resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and system are described herein, in which system resources and operations are assigned to roles in a role-based access control system, and the roles are assigned to a plurality of users. An RBAC system is used to resolve the client request to perform an operation on a resource, the RBAC system using a hierarchy of the plurality of resources to determine if a user is permitted to perform the operation on a parent of the resource in the hierarchy of resources. The RBAC system also determines if a user is permitted to perform the operation on the resource if a user group to which the user belongs to has the required access.

Citations

16 Claims

1. A method comprising:
- authenticating a user of a client when the user logs on to a storage management system;
  
  upon successfully authenticating the user, determining a set of roles of the user and capabilities of the user in each of the determined roles, and caching the determined roles and capabilities of the user in a cache coupled to an access permission database;
  
  receiving a request from the user to perform a first operation from a plurality of operations on a first resource from a plurality of storage system resources, wherein the storage system resources are organized as a hierarchy of containers and include at least a volume and an aggregate; and
  
  performing an RBAC (Role-Based Access Control) access check to resolve the request using entries stored in the cache, wherein performing the RBAC access check further comprises;
  
  identifying the entries in the cache having a role parameter matching one of the determined roles of the user and an operation parameter matching the first operation;
  
  determining whether at least one of the identified entries has a resource parameter that matches the first resource or matches a parent resource of the first resource, wherein the parent resource is a container within which the first resource is located; and
  
  upon determination that a match of the first resource or a match of the parent resource exists, granting access permission to the user of the client to perform the first operation on the first resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as recited in claim 1, further comprising:
    - storing a knowledge of the hierarchy of containers in a network server.
  - 3. The method as recited in claim 2, wherein the knowledge of the hierarchy of containers is determined by a storage management system.
  - 4. The method as recited in claim 1, further comprising:
    - determining whether a user group to which the user of the client belongs has permission to perform the first operation on the first resource.
  - 5. The method as recited in claim 1, further comprising:
    - determining whether a user group to which the user of the client belongs has permission to perform the first operation on the parent of the first resource as defined by the hierarchy of containers.
  - 6. The method as recited in claim 1, wherein the hierarchy of containers indicates that one or more containers are contained within another resource container.
  - 7. The method as recited in claim 5, further comprising:
    - caching information about results of the determination of whether the user group to which the client belongs has permission to perform the first operation on at least one of the first resource or the parent of the first resource; and
      
      using the cached information to resolve a third request from the client to perform the first operation on the first resource, wherein the third request is received subsequent to the first request.
  - 8. The method recited in claim 4, wherein the determined capabilities of the user comprise a capability to perform an action required by a workflow.

9. A processing system comprising:
- a processor;
  
  a network interface through which to communicate with a plurality of storage devices resources over a network; and
  
  a storage facility storing;
  
  the plurality of storage device resources, which are organized as a hierarchy of containers and include at least a volume and an aggregate,an access permission database,a cache coupled to the access permission database, the cache being adapted to cache a set of roles of a user of a client and capabilities of the user in each of the roles when the user logs on to the processing system and is successfully authenticated; and
  
  an RBAC (Role-Based Access Control) module, for execution by the processor, to;
  
  identify entries from the cache in response to a request from the user, each of the identified entries having a role parameter matching one of the roles of the user, and each of the identified entries having an operation parameter matching a requested operation specified in the request,determine whether a resource parameter of any of the identified entries matches a requested resource of the storage device resources or matches a parent resource of the requested resource, wherein the parent resource is a container within which the requested resource is located, andupon determination that a match of the requested resource or a match of the parent resource exists, grant permission to the user to perform the requested operation on the requested resource.
- View Dependent Claims (10, 11, 12)
- - 10. The system of claim 9, wherein the access permission database is adapted to store hierarchy information for the storage device resources.
  - 11. The system of claim 10, wherein the RBAC module is to query the cache to determine if one or more roles associated with the user of the client is permitted to perform the requested operation on the requested resource or the parent of the requested resource.
  - 12. The system of claim 9, wherein the determined capabilities of the user comprise a capability to perform an action required by a workflow.

13. A method comprising:
- authenticating a user of a client when the user logs on to a network server;
  
  upon successfully authenticating the user, determining a set of roles of the user and capabilities of the user in each of the determined roles, and caching the determined roles and capabilities of the user in a cache coupled to an access permission database,wherein the network server provides a role-based access control (RBAC) system adapted to assign storage system resources and operations to a plurality of roles, assign the plurality of roles to a plurality of users, and perform an RBAC access check to resolve a request from the user using entries stored in the cache,wherein the storage system resources are organized as a hierarchy of containers and include at least a volume and an aggregate,andwherein performing the RBAC access check comprises;
  
  identifying, from the cache, entries having a role parameter matching one of the determined roles of the user, and having a operation parameter matching a requested operation specified in the request;
  
  determining whether a resource parameter of any of the identified entries matches a requested resource of the storage system resources or a parent resource of the requested resource, wherein the parent resource is a container within which the requested resource is located; and
  
  upon determination that a match of the requested resource or a match of the parent resource exists, granting access permission to the user to perform the requested operation on the requested resource.
- View Dependent Claims (14, 15, 16)
- - 14. The method recited in claim 13, further comprising:
    - upon receiving the request from the user to perform the requested operation on the requested resource, determining a user group to which user belongs;
      
      performing the RBAC access check by determining whether the user group can perform the requested operation on the requested resource; and
      
      caching results of the RBAC access check on the network server.
  - 15. The method as recited in claim 13, wherein the hierarchy of containers is determined by a storage management system and stored on the access permission database on the network server.
  - 16. The method recited in claim 13, wherein the determined capabilities of the user comprises a capability to perform an action required by a workflow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
Network Appliance Incorporated (NetApp, Inc.)
Inventors
Thompson, Timothy J., Holl, James Hartwell II, Durant, William Raoul
Primary Examiner(s)
Dinh, Minh

Application Number

US11/601,100
Time in Patent Office

2,314 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

Hierarchy-aware role-based access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchy-aware role-based access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links