System and method for storage operation access security
DCFirst Claim
1. A non-transitory computer-readable storage medium storing instructions, which when executed by at least one computer, performs a method of managing users in a data management system that is configured to manage secondary copies of data files, the method comprising:
- receiving a request from an identified preexisting user to perform a storage operation that would create a secondary copy of a particular production data file;
querying a security system to determine certain access rights of the identified preexisting user,wherein the certain access rights relate to the preexisting user'"'"'s rights to access the particular production data file,wherein querying the security system to determine the certain access rights includes determining one or more computers to which the identified preexisting user has access permission, andwherein the certain access rights permit the identified preexisting user to perform the requested storage operation if the particular production data file is associated with one of the determined one or more computers; and
,performing the requested storage operation to create a secondary copy of the particular production data file when the certain access rights permit the identified preexisting user to perform the requested storage operation,wherein the secondary copies are useable to restore production data from which the secondary copies are created and wherein the secondary copies are not actively used by a live data server or other computer system; and
,wherein the certain access rights determine which copies of source data stored in multiple copies a user within a group can access.
4 Assignments
Litigations
1 Petition
Accused Products
Abstract
A method and system for controlling access to stored data is provided. The storage access control system leverages a preexisting security infrastructure of a system to inform the proper access control that should be applied to data stored outside of its original location, such as a data backup. The storage access control system may place similar access control restrictions on the backup files that existed on the original files. In this way, the backed up data is given similar protection as that of the original data.
244 Citations
22 Claims
-
1. A non-transitory computer-readable storage medium storing instructions, which when executed by at least one computer, performs a method of managing users in a data management system that is configured to manage secondary copies of data files, the method comprising:
-
receiving a request from an identified preexisting user to perform a storage operation that would create a secondary copy of a particular production data file; querying a security system to determine certain access rights of the identified preexisting user, wherein the certain access rights relate to the preexisting user'"'"'s rights to access the particular production data file, wherein querying the security system to determine the certain access rights includes determining one or more computers to which the identified preexisting user has access permission, and wherein the certain access rights permit the identified preexisting user to perform the requested storage operation if the particular production data file is associated with one of the determined one or more computers; and
,performing the requested storage operation to create a secondary copy of the particular production data file when the certain access rights permit the identified preexisting user to perform the requested storage operation, wherein the secondary copies are useable to restore production data from which the secondary copies are created and wherein the secondary copies are not actively used by a live data server or other computer system; and
,wherein the certain access rights determine which copies of source data stored in multiple copies a user within a group can access. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for controlling a computer system to migrate users from a preexisting security system to a data management system that is configured to manage secondary copies of data files, wherein the secondary copies are useable to restore production data from which the secondary copies are created and are not actively used by a live data server or other computer system, by a method comprising:
-
migrating a selected preexisting security entity defined by an external security infrastructure to a new security entity in the data management system; and
,wherein migrating the selected preexisting security entity defined by the external security infrastructure to the new security entity in the data management system includes associating the new security entity with a reference to the selected preexisting security entity in the security infrastructure; and performing a storage operation requested by a selected preexisting security entity, wherein the storage operation creates a secondary copy of a particular production data file, wherein the storage operation is performed after a querying of the security infrastructure has been performed to determine that the selected preexisting security entity has sufficient access rights with respect to the particular production data file to perform the requested data management operation, wherein querying the security infrastructure to determine that the selected preexisting security entity has sufficient access comprises determining one or more computers to which the selected preexisting security entity has access, wherein the selected preexisting security entity has sufficient access rights when the particular production data file is associated with one of the determined one or more computers, and, wherein the at least one privilege for performing storage management operations determines which copies of source data stored in multiple copies can be accessed by the new security entity. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for securing storage operations in a storage management system, wherein the storage management system interfaces with an external security component configured to store data regarding one or more external users and one or more access rights that indicate how the one or more external users are permitted to access production data files, the system comprising:
-
a memory; means for managing data storage, wherein the means for managing data storage is configured to perform storage operations on behalf of one or more storage management users, wherein some of the storage operations performed create secondary copies of data files from source production data files, and wherein the secondary copies are useable to restore production data from which the secondary copies are created and are not actively used by a live data server or other computer system; means for creating storage management users based on selected external users, and for determining whether a storage management user has sufficient access rights to perform a storage operation to create a secondary copy of a data file from a particular production data file, wherein this determination is made by querying the external security component to determine one or more access rights that indicate how the particular selected external user is permitted to access the particular production data file; wherein determining whether a storage management user that was created based on a particular selected external user has sufficient access rights to perform a storage operation includes determining one or more computers to which the particular selected external user has access, wherein the particular selected external user has sufficient access rights when the particular production data file is associated with one of the determined one or more computers; wherein creating storage management users based on selected external users includes associating one or more storage management users with a reference to one or more of the selected external users; and wherein the access rights to perform a storage operation determine which copies of source data stored in multiple copies a storage management user can access. - View Dependent Claims (17, 18, 19)
-
-
20. One or more computer memories storing a data structure for associating access control information in a data management system with backup data, comprising:
-
a security descriptor having one or more access control lists, wherein each access control list contains one or more access control entries, wherein the access control entries contain users and groups defined by a security system that is external to the data management system, wherein the access control list and the access control entities enable the users and the groups to have access rights to perform management storage operations with the backup data, wherein the backup data is used, via the management storage operations, to restore production data from which the backup data is created and the backup data is not actively used by a live data server or other computer system, wherein the one or more access control list include varying types of access control lists that provide the users and the groups with varying levels of security permissions; and a backup data reference that specifies the backup data for which the security descriptor specifies access control information. - View Dependent Claims (21, 22)
-
Specification