Fine granularity access control for a storage area network

US 8,762,552 B2
Filed: 04/13/2005
Issued: 06/24/2014
Est. Priority Date: 04/13/2005
Status: Active Grant

First Claim

Patent Images

1. A method of managing configuration access by a user to resources of a storage area network, the method comprising:

defining multiple administration domains, each administration domain specifying a subset of the resources designated to provide one application with storage access;

associating the user with one or more of the administration domains;

associating the user with a user profile, wherein the user profile includes a list of resources the user has access to and a level of access for each resource in the list and wherein altering an administration domain associated with the user to change the specified subset of resources results in automatic changes to the list of resources in the user profile; and

allowing the user to access a selected resource, if the selected resource is specified in an administration domain associated with the user;

wherein the user'"'"'s level of access to the selected resource is determined by the level of access listed for the selected resource in the user'"'"'s profile.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A SAN management software program controls access to resources in the SAN by associating individual users with one or more administration domains. A user that is associated with an administration domain that includes a port of a SAN switch can configure or otherwise access the port but is restricted from accessing ports outside of that administration domain. Likewise, access to other sub-fabric resources can be restricted and allowed to individual users and users in specific roles or groups. In this manner, the SAN administrative user has very specific control over which users can access which SAN resources and what level of access these users are granted.

17 Citations

View as Search Results

20 Claims

1. A method of managing configuration access by a user to resources of a storage area network, the method comprising:
- defining multiple administration domains, each administration domain specifying a subset of the resources designated to provide one application with storage access;
  
  associating the user with one or more of the administration domains;
  
  associating the user with a user profile, wherein the user profile includes a list of resources the user has access to and a level of access for each resource in the list and wherein altering an administration domain associated with the user to change the specified subset of resources results in automatic changes to the list of resources in the user profile; and
  
  allowing the user to access a selected resource, if the selected resource is specified in an administration domain associated with the user;
  
  wherein the user'"'"'s level of access to the selected resource is determined by the level of access listed for the selected resource in the user'"'"'s profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - discovering the resources of the storage area network to generate a discovery results.
  - 3. The method of claim 1, wherein the subset of the resources includes an individually identified switch in the storage area network.
  - 4. The method of claim 1, wherein the subset of the resources includes an individually identified port of a switch in the storage area network.
  - 5. The method of claim 1, wherein the subset of the resources includes an individually identified logical unit number of a device in the storage area network.
  - 6. The method of claim 1, wherein the operation of associating the user with one or more of the administration domains comprises:
    - referencing one or more of the administration domains using the user profile.
  - 7. The method of claim 1, wherein the operation of associating the user with one or more of the administration domains comprises:
    - associating the user with a role, wherein multiple users may be grouped within the role; and
      
      associating the role with an administration domain.
  - 8. The method of claim 1, wherein the operation of allowing the user to access a selected resource comprises:
    - executing a configuration command initiated by the user and targeting the resource.
  - 9. The method of claim 1, further comprising preventing the user from accessing the selected resource, if the resource is not specified in an administration domain associated with the user.
  - 10. The method of claim 1, wherein the subset of the resources are designated to provide the application with storage access.
  - 11. The method of claim 10, wherein the application is an e-mail application.

12. A computer program product encoding a computer program, on a non-transitory storage medium, for a computer process that executes on a computer system that manages configuration access by a user to resources of a storage area network, the computer process comprising:
- defining a plurality of groups of devices, each group of devices servicing one application;
  
  defining multiple administration domains, each administration domain specifying a subset of the resources corresponding to one of the plurality of groups of devices and corresponding to one application;
  
  associating the user with one or more of the administration domains;
  
  associating the user with a user profile, wherein the user profile includes a list of the resources the user has access to and a level of access for each resource in the list and wherein altering an administration domain associated with the user to change the specified subset of resources results in automatic changes to the list of resources in the user profile; and
  
  allowing the user to access a selected resource, if the selected resource is specified in an administration domain associated with the user;
  
  wherein the user'"'"'s level of access to the selected resource is determined by the level of access listed for the selected resource in the user'"'"'s profile.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The computer program product of claim 12, wherein the computer process further comprises:
    - discovering the resources of the storage area network to generate a discovery results.
  - 14. The computer program product of claim 12, wherein the subset of the resources includes an individually identified switch in the storage area network.
  - 15. The computer program product of claim 12, wherein the subset of the resources includes an individually identified port of a switch in the storage area network.
  - 16. The computer program product of claim 12, wherein the subset of the resources includes an individually identified logical unit number of a device in the storage area network.
  - 17. The computer program product of claim 12, wherein the operation of associating the user with one or more of the administration domains comprises:
    - referencing one or more of the administration domains using the user profile.
  - 18. The computer program product of claim 12, wherein the operation of associating the user with one or more of the administration domains comprises:
    - associating the user with a role, wherein multiple users may be grouped within the role; and
      
      associating the role with an administration domain.
  - 19. The computer program product of claim 12, wherein the operation of allowing the user to access a selected resource comprises:
    - executing a configuration command initiated by the user and targeting the resource.
  - 20. The computer program of claim 12, wherein the computer process further comprises preventing the user from accessing the selected resource, if the resource is not specified in an administration domain associated with the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Brocade Communications Systems, Inc. (Broadcom, Inc.)
Inventors
Henriquez, Hans Logan, Hamilton, David Brooks, Zhang, Xinyu, Kejriwal, Parry, Ramkumar, Gurumurthy D
Primary Examiner(s)
Gillis, Brian J

Application Number

US11/105,937
Publication Number

US 20060235985A1
Time in Patent Office

3,359 Days
Field of Search

709/223, 709/224, 709/229, 709/225, 711/100, 711/163
US Class Current

709/229
CPC Class Codes

G06F 16/437   Administration of user prof...

G06F 21/45   Structures or tools for the...

G06F 3/067   Distributed or networked st...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 67/1097   for distributed storage of ...

H04L 67/12   specially adapted for propr...

Fine granularity access control for a storage area network

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Fine granularity access control for a storage area network

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links