System and method for storage operation access security

US 8,447,728 B2
Filed: 09/30/2011
Issued: 05/21/2013
Est. Priority Date: 10/17/2006
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A non-transitory computer-readable storage medium storing instructions, which when executed by at least one computer, performs a method of managing users in a data management system that is configured to manage secondary copies of data files, the method comprising:

receiving a request from an identified preexisting user to perform a storage operation that would create a secondary copy of a particular production data file;

querying a security system to determine certain access rights of the identified preexisting user,wherein the certain access rights relate to the preexisting user'"'"'s rights to access the particular production data file,wherein querying the security system to determine the certain access rights includes determining one or more computers to which the identified preexisting user has access permission, andwherein the certain access rights permit the identified preexisting user to perform the requested storage operation if the particular production data file is associated with one of the determined one or more computers; and

,performing the requested storage operation to create a secondary copy of the particular production data file when the certain access rights permit the identified preexisting user to perform the requested storage operation,wherein the secondary copies are useable to restore production data from which the secondary copies are created and wherein the secondary copies are not actively used by a live data server or other computer system; and

,wherein the certain access rights determine which copies of source data stored in multiple copies a user within a group can access.

View all claims

4 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A method and system for controlling access to stored data is provided. The storage access control system leverages a preexisting security infrastructure of a system to inform the proper access control that should be applied to data stored outside of its original location, such as a data backup. The storage access control system may place similar access control restrictions on the backup files that existed on the original files. In this way, the backed up data is given similar protection as that of the original data.

244 Citations

22 Claims

1. A non-transitory computer-readable storage medium storing instructions, which when executed by at least one computer, performs a method of managing users in a data management system that is configured to manage secondary copies of data files, the method comprising:
- receiving a request from an identified preexisting user to perform a storage operation that would create a secondary copy of a particular production data file;
  
  querying a security system to determine certain access rights of the identified preexisting user,wherein the certain access rights relate to the preexisting user'"'"'s rights to access the particular production data file,wherein querying the security system to determine the certain access rights includes determining one or more computers to which the identified preexisting user has access permission, andwherein the certain access rights permit the identified preexisting user to perform the requested storage operation if the particular production data file is associated with one of the determined one or more computers; and
  
  ,performing the requested storage operation to create a secondary copy of the particular production data file when the certain access rights permit the identified preexisting user to perform the requested storage operation,wherein the secondary copies are useable to restore production data from which the secondary copies are created and wherein the secondary copies are not actively used by a live data server or other computer system; and
  
  ,wherein the certain access rights determine which copies of source data stored in multiple copies a user within a group can access.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising permitting a user of the data management system, who does not have privileges to create new users within the data management system, to add the identified preexisting user to the group within the data management system.
  - 3. The method of claim 1, wherein the particular production data file includes textual content, and the certain access rights are determined in part by evaluating the textual content.
  - 4. The method of claim 1, further comprising:
    - querying the security system to determine an electronic address associated with the identified preexisting user; and
      
      ,notifying the identified preexisting user at the determined electronic address that the requested storage operation failed.
  - 5. The method of claim 1, wherein performing the requested storage operation comprises creating a secondary copy of the particular production data file and applying access rights that the security system associates with the particular production data file to the created secondary copy.
  - 6. The method of claim 1, further comprising querying the security system to determine an email address associated with the identified preexisting user.
  - 7. The method of claim 1, further comprising:
    - identifying the preexisting user created in the security system, wherein the security system is external to the data management system, and wherein the identified preexisting user has the certain access rights defined by the security system;
      
      creating the group within the data management system that associates one or more users with the at least one access right for performing storage operations that create secondary copies of data files from source production data files;
      
      adding the identified preexisting user to the group within the data management system before receiving the request from the identified preexisting user to perform a storage operation.

8. A method for controlling a computer system to migrate users from a preexisting security system to a data management system that is configured to manage secondary copies of data files, wherein the secondary copies are useable to restore production data from which the secondary copies are created and are not actively used by a live data server or other computer system, by a method comprising:
- migrating a selected preexisting security entity defined by an external security infrastructure to a new security entity in the data management system; and
  
  ,wherein migrating the selected preexisting security entity defined by the external security infrastructure to the new security entity in the data management system includes associating the new security entity with a reference to the selected preexisting security entity in the security infrastructure; and
  
  performing a storage operation requested by a selected preexisting security entity,wherein the storage operation creates a secondary copy of a particular production data file,wherein the storage operation is performed after a querying of the security infrastructure has been performed to determine that the selected preexisting security entity has sufficient access rights with respect to the particular production data file to perform the requested data management operation,wherein querying the security infrastructure to determine that the selected preexisting security entity has sufficient access comprises determining one or more computers to which the selected preexisting security entity has access,wherein the selected preexisting security entity has sufficient access rights when the particular production data file is associated with one of the determined one or more computers, and,wherein the at least one privilege for performing storage management operations determines which copies of source data stored in multiple copies can be accessed by the new security entity.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8 wherein migrating the selected preexisting security entity further includes determining information about the preexisting security entity and associating at least a portion of the information with the new security entity.
  - 10. The method of claim 8 wherein the external security infrastructure includes a directory provided by an operating system.
  - 11. The method of claim 8 wherein providing a list of one or more preexisting security entities defined by a security infrastructure external to the data management system includes retrieving information from a first external security infrastructure provided by a first operating system.
  - 12. The method of claim 8 wherein providing a list of one or more preexisting security entities defined by a security infrastructure external to the data management system further includes retrieving information from a second external security infrastructure provided by a second operating system.
  - 13. The method of claim 8 wherein the selected preexisting security entity is an individual user.
  - 14. The method of claim 8 wherein the external security infrastructure provides one or more access control lists that define one or more access rights assigned to each preexisting security entity.
  - 15. The method of claim 8, further comprising:
    - receiving a request to create the new security entity in the data management system, wherein the new security entity is associated with at least one privilege for performing storage management operations to create secondary copies of data files from source production data files;
      
      providing a list of one or more preexisting security entities defined by the security infrastructure external to the data management system; and
      
      ,receiving a selection of a preexisting security entity defined by the external security infrastructure.

16. A system for securing storage operations in a storage management system, wherein the storage management system interfaces with an external security component configured to store data regarding one or more external users and one or more access rights that indicate how the one or more external users are permitted to access production data files, the system comprising:
- a memory;
  
  means for managing data storage, wherein the means for managing data storage is configured to perform storage operations on behalf of one or more storage management users,wherein some of the storage operations performed create secondary copies of data files from source production data files, andwherein the secondary copies are useable to restore production data from which the secondary copies are created and are not actively used by a live data server or other computer system;
  
  means for creating storage management users based on selected external users, and for determining whether a storage management user has sufficient access rights to perform a storage operation to create a secondary copy of a data file from a particular production data file,wherein this determination is made by querying the external security component to determine one or more access rights that indicate how the particular selected external user is permitted to access the particular production data file;
  
  wherein determining whether a storage management user that was created based on a particular selected external user has sufficient access rights to perform a storage operation includes determining one or more computers to which the particular selected external user has access,wherein the particular selected external user has sufficient access rights when the particular production data file is associated with one of the determined one or more computers;
  
  wherein creating storage management users based on selected external users includes associating one or more storage management users with a reference to one or more of the selected external users; and
  
  wherein the access rights to perform a storage operation determine which copies of source data stored in multiple copies a storage management user can access.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16 wherein the privileges migration component is further configured to determine at least a name and an email address associated with each of the selected external users.
  - 18. The system of claim 16 wherein the storage management application is further configured to store, with each storage management user, privileges information describing storage management operations that each storage management user is allowed to perform.
  - 19. The system of claim 16 wherein the external security component includes a Lightweight Directory Access Protocol (LDAP) directory.

20. One or more computer memories storing a data structure for associating access control information in a data management system with backup data, comprising:
- a security descriptor having one or more access control lists,wherein each access control list contains one or more access control entries,wherein the access control entries contain users and groups defined by a security system that is external to the data management system,wherein the access control list and the access control entities enable the users and the groups to have access rights to perform management storage operations with the backup data,wherein the backup data is used, via the management storage operations, to restore production data from which the backup data is created and the backup data is not actively used by a live data server or other computer system,wherein the one or more access control list include varying types of access control lists that provide the users and the groups with varying levels of security permissions; and
  
  a backup data reference that specifies the backup data for which the security descriptor specifies access control information.
- View Dependent Claims (21, 22)
- - 21. The computer memories of claim 20, wherein the access control lists identify one or more computers to which the users and the groups have access, andwherein the access control list permits the users and the groups to perform management storage operations on the one or more computers using the backup data if the backup data is associated with the one or more computers to which the users and the groups have access.
  - 22. The computer memories of claim 20, wherein the access rights to perform management storage operations with the backup data is based on content of or metadata associated with a data object in the backup data.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Prahlad, Anand, Kavuri, Srinivas
Primary Examiner(s)
Ng, Amy

Application Number

US13/250,997
Publication Number

US 20120023140A1
Time in Patent Office

599 Days
Field of Search

707/627, 707/785, 726/27
US Class Current

707/627
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

System and method for storage operation access security

First Claim

4 Assignments

Litigations

1 Petition

Accused Products

Abstract

244 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

System and method for storage operation access security

First Claim

4 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

244 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others