U.S. patent application number 12/058518 was filed with the patent office on 2008-10-02 for system and method for storage operation access security.
Invention is credited to Anand Prahlad, Prakash Varadharajan.
Application Number | 20080243795 12/058518 |
Document ID | / |
Family ID | 39304285 |
Filed Date | 2008-10-02 |
United States Patent
Application |
20080243795 |
Kind Code |
A1 |
Prahlad; Anand ; et
al. |
October 2, 2008 |
SYSTEM AND METHOD FOR STORAGE OPERATION ACCESS SECURITY
Abstract
A method and system for controlling access to stored data is
provided. The storage access control system leverages a preexisting
security infrastructure of a system to inform the proper access
control that should be applied to data stored outside of its
original location, such as a data backup. The storage access
control system may place similar access control restrictions on the
backup files that existed on the original files. In this way, the
backed up data is given similar protection as that of the original
data.
Inventors: |
Prahlad; Anand; (East
Brunswick, NJ) ; Varadharajan; Prakash; (Old Bridge,
NJ) |
Correspondence
Address: |
PERKINS COIE LLP;PATENT-SEA
P.O. BOX 1247
SEATTLE
WA
98111-1247
US
|
Family ID: |
39304285 |
Appl. No.: |
12/058518 |
Filed: |
March 28, 2008 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
11694784 |
Mar 30, 2007 |
|
|
|
12058518 |
|
|
|
|
60852584 |
Oct 17, 2006 |
|
|
|
Current U.S.
Class: |
1/1 ;
707/999.003; 707/999.009; 707/E17.005; 707/E17.014 |
Current CPC
Class: |
G06F 21/604 20130101;
G06F 2221/2141 20130101; G06F 21/6218 20130101 |
Class at
Publication: |
707/3 ; 707/9;
707/E17.014; 707/E17.005 |
International
Class: |
G06F 17/30 20060101
G06F017/30; G06F 7/00 20060101 G06F007/00 |
Claims
1. A method of searching for data objects in a data management
system, the method comprising: receiving one or more criteria
describing at least one data object to be located within the data
management system; identifying one or more data objects stored
within the data management system that satisfy the received one or
more criteria; determining one or more access rights associated
with the identified one or more data objects stored within the data
management system; and providing a filtered list of results that
contains the identified one or more data objects, wherein the list
is filtered based on the determined one or more access rights.
2. The method of claim 1 wherein determining one or more access
rights comprises determining access rights based on an identity of
a user from which the one or more criteria are received.
3. The method of claim 1 wherein determining one or more access
rights comprises determining access rights based on an identity of
a process from which the one or more criteria are received.
4. The method of claim 1 wherein determining one or more access
rights comprises determining access rights based on an identity of
the identified one or more data objects.
5. The method of claim 1 wherein the identified one or more data
objects include textual content, and wherein determining one or
more access rights comprises determining access rights based on the
included textual content.
6. The method of claim 1 wherein providing a filtered list of
results comprises removing identified data objects from the results
to which the one or more access rights do not grant access.
7. The method of claim 1 wherein providing a filtered list of
results comprises providing an indication that access to the
results is restricted to results to which the one or more access
rights grant access.
8. The method of claim 1 wherein identifying one or more data
objects stored within the data management system comprises querying
a database that maintains an index of data objects stored within
the data management system and access control information
associated with the data objects to determine data objects that
satisfy the one or more received criteria.
9. The method of claim 1 wherein the access rights associated with
the identified one or more data objects are based on access control
information associated with source data used to create the one or
more data objects.
10. The method of claim 1 wherein the data management system
contains multiple copies of certain data objects, and wherein
similar access rights are associated with each of the copies of the
certain data objects.
11. The method of claim 1 wherein the access rights of a user from
which the one or more criteria are received are determined by the
membership of the user in one or more Microsoft.RTM. Windows Active
Directory groups.
12. A computer-readable medium containing instructions for
controlling a computer system to restrict access to data objects
stored within a storage management system, by a method comprising:
receiving a request identifying a particular copy of a data object
for which access rights are to be determined, wherein the data
object has multiple copies; identifying the entity requesting
access to the particular copy of the data object; querying access
control information for the particular copy of the data object from
the storage management system, wherein the storage management
system determines access control information with each data object
when a first instance of the data object is encountered and
associates the access control information with each subsequent copy
of the data object that is created; and, indicating whether the
identified entity requesting access to the data object is granted
access to the data object based on the access control information
associated with the data object by the storage management system,
wherein the indication is the same regardless of which of the
multiple copies of the data object the request identifies.
13. The computer-readable medium of claim 12 wherein identifying
the entity requesting access comprises determining the access
rights assigned to the entity by a security system.
14. The computer-readable medium of claim 12 wherein different
storage operations have been performed on each of the copies of the
data object having multiple copies.
15. The computer-readable medium of claim 12 wherein storing access
control information for each data object when a first instance of
the data object is encountered comprises retrieving access control
information associated with a file system in which the data object
is stored.
16. The computer-readable medium of claim 12 wherein querying
access control information for the particular copy of the data
object from the storage management system comprises accessing an
index that stores information about each copy of the data object
and access control information associated with the data object.
17. The computer-readable medium of claim 12 wherein the entity
requesting access is a member of an external security group and
identifying the entity requesting access to the particular copy of
the data object comprises determining the access rights assigned to
members of the external security group.
18. A system for filtering data objects provided in response to a
search in a data management system based on access rights
associated with the data objects, the system comprising: a network
security component that provides access control information for
data objects stored by one or more computers within the data
management system, wherein the access control information is based
on access control information associated with source data used to
create each data object; an entity identification component that
identifies an entity requesting access to a data object stored
within the data management system; a storage search component that
receives criteria and performs searches for data objects within the
data management system that satisfy at least one or the criteria;
and a data object access component that determines whether the
entity identified by the entity identification component has access
to the data objects discovered by the storage search component
based on the access control information.
19. The system of claim 18 wherein the network security component
manages storage operations associated with data objects and when a
storage operation creates a copy of a data object, migrates access
control information associated with the source of the data object
to the copy of the data object.
20. The system of claim 18, further comprising a web server
component that provides access to data objects and the storage
search component through a web browser interface.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] The present application is a continuation of U.S.
application Ser. No. 11/694,784 (Attorney Docket No.
60692-8042.US00) entitled "SYSTEM AND METHOD FOR STORAGE OPERATION
ACCESS SECURITY" and filed on Mar. 30, 2007, which claims priority
to U.S. Provisional Application No. 60/852,584 (Attorney Docket No.
60692-8047.US00) entitled "METHOD AND SYSTEM FOR COLLABORATIVE
SEARCHING," and filed on Oct. 17, 2006, each of which are hereby
incorporated by reference.
BACKGROUND
[0002] Traditional security systems operate on the principal of
limiting access to data. Each user of the system is generally
identified with a user name, and access rights are assigned to each
user. For example, users may be permitted or prevented from
accessing certain files or adding new hardware to a computer
system. Users may also be assigned to groups where each member of
the group is given common access rights. Often a great amount of
administrative effort has been put into creating users and groups
and assigning them appropriate access rights in a traditional
computer security system. For example, Microsoft Windows provides
Active Directory for creating users and groups and assigning access
to resources throughout a computer network. File systems also often
provide access control. For example, the NT File System (NTFS)
provides folder and file access based on user and group identifiers
and the type of access requested such as read, write, execute, and
other operations. An organization may have an extensive scheme of
groups and access rights. For example, there may be a group of
accounting department users that have different rights than
engineering department users. The organization may also have
identified certain users as administrators that have additional
rights to administer the system.
[0003] Computer systems contain large amounts of personal data,
such as financial data, names, addresses, telephone numbers, bank
account information, photographs and much more. Corporate computer
systems often contain confidential information, such as trade
secrets, manufacturing processes, business strategy, and so on.
With the increased reliance on computer systems to store critical
information, the importance of protecting this data against loss
has grown. For example, traditional storage management systems
receive an identification of a file location of an original file
and then create one or more secondary copies, such as backup files,
containing the contents of the original file. These secondary
copies can then later be used to restore the original data should
anything happen to the original data. Secondary copies of data are
often stored in a publicly accessible location for quick
restoration of data in the event of a disaster or other data loss
event. For example, backup files may be stored on a widely
accessible server, and tapes and other media used for storing
backup files may be physically accessible to many users.
[0004] Backed up data may contain sensitive information that is
more widely accessible than the original data. Backing up data
often removes the data from the well-planned security environment
in which it was originally stored. Even though a system
administrator may have gone to great lengths to properly limit
access to data throughout a network, once the data is stored as one
or more secondary copies it is often more accessible than
originally intended. For example, the CEO of a company may have
many sensitive files on a computer system that only he can access,
but if that computer system is backed up, then the backup files may
allow unauthorized users to have access to data that they would not
normally be able to access. In addition, some systems provide
searches based on backup data in which the backup data is indexed.
Indexed content does not have the protections imposed on the
original files.
[0005] There is a need for a system that overcomes the above
problems, as well as providing additional benefits.
BRIEF DESCRIPTION OF THE DRAWINGS
[0006] FIG. 1 is a block diagram that illustrates components of a
storage access control system in one embodiment.
[0007] FIG. 2 is a flow diagram that illustrates processing of the
system to apply preexisting security to data objects in one
embodiment.
[0008] FIG. 3 is a flow diagram that illustrates processing of the
system to perform a secure search in one embodiment.
[0009] FIG. 4 is a flow diagram that illustrates processing of the
system to migrate users from a preexisting security infrastructure
to a storage component security infrastructure in one
embodiment.
[0010] FIG. 5 is a data structure diagram that illustrates storing
of access control information with storage data in one
embodiment.
[0011] In the drawings, the same reference numbers and acronyms
identify elements or acts with the same or similar functionality
for ease of understanding and convenience. To easily identify the
discussion of any particular element or act, the most significant
digit or digits in a reference number refer to the Figure number in
which that element is first introduced (e.g., element 1104 is first
introduced and discussed with respect to FIG. 11).
[0012] The headings provided herein are for convenience only and do
not necessarily affect the scope or meaning of the claimed
invention.
DETAILED DESCRIPTION
Overview
[0013] A method and system for controlling access to stored data
described below leverages a preexisting security infrastructure to
inform proper access control that should be applied to data stored
outside of its original location, such as a data backup. In one
embodiment, the storage access control system receives a request to
perform a storage operation that makes data at a source location
available at a destination location. For example, the request may
indicate that data stored on one computer should be copied and
stored on a second computer. A storage operation may include many
types of operations such as backup, migration, replication,
snapshot, hierarchical storage management (HSM), and so on. For
example, the storage operation may be a request to make a snapshot
copy of data at the source location. The source location may
contain electronic information such as file system data objects,
application data objects, or other types of storage data objects.
Upon receiving the request, the storage access control system
queries the source or other location for access control
information. For example, if the data includes one or more files,
then the storage access control system may examine the file system
to determine what access control scheme is currently in place for
the data. The file system may contain access information that
identifies the users and groups that have access to the data. One
manner in which the access information may be associated with the
data is by storing the access information along with the file.
Then, the storage access control system applies the access control
information to the data stored at the destination location. For
example, the storage access control system may associate the access
control information with the data stored at the destination
location in a different manner, such as by storing metadata
describing the access control information in a content indexing
system. In the example of backing up files, the storage access
control system may place similar access control restrictions on the
backup files that existed on the original files. In this way, the
backed up data is given similar protection as that of the original
data.
[0014] The invention will now be described with respect to various
embodiments. The following description provides specific details
for a thorough understanding of, and enabling description for,
these embodiments of the invention. However, one skilled in the art
will understand that the invention may be practiced without these
details. In other instances, well-known structures and functions
have not been shown or described in detail to avoid unnecessarily
obscuring the description of the embodiments of the invention.
[0015] The terminology used in the description presented below is
intended to be interpreted in its broadest reasonable manner, even
though it is being used in conjunction with a detailed description
of certain specific embodiments of the invention. Certain terms may
even be emphasized below; however, any terminology intended to be
interpreted in any restricted manner will be overtly and
specifically defined as such in this Detailed Description
section.
Improving Security with ACLs and Active Directory
[0016] In some embodiments, the storage access control system
determines the access control information stored by the preexisting
security infrastructure based on an offline or secondary copy of
the data. An offline copy can be a backup, snapshot, or other copy
of the data that is not actively being used by a live data server
or other computers system. By using a secondary copy, the storage
access control system can avoid interrupting user access to the
live data by not consuming additional resources on the server or
other computer system storing the live copy of the data.
[0017] When a live or production copy of the source data is used to
create a secondary copy, the preexisting security information
associated with the data may also be associated with the secondary
copy. For example, if the source data is a file, then the security
information associated with the file may be captured when the
secondary copy is created and stored with the file or in another
location that is associated with the secondary copy. For example,
many file systems contain hierarchical security schemes such that
access control information applied to a parent file system object
(e.g., a folder) is applied to each of the child file system
objects (e.g., files in the folder). The storage access control
system captures this information so that the access control
information applied to source data can also be applied to secondary
copies of the source data. For example, if the user later performs
a search and the storage access control system searches offline
copies of data, then the storage access control system can ensure
that the user has similar access (both permitting allowed
operations and denying excluded operations) to the offline data
that the user had to the original live data from which the offline
data was created. For example, if the user could not browse
particular source data, then the storage access control system may
exclude references to secondary copies of the source data from
search results. Similarly, if the user could browse and read a file
but not write to it, then the storage access control system may
permit the user to receive the file in search results, read from
the file, but not make modifications to the file.
[0018] In some embodiments, the storage access control system
stores access control information as metadata that identifies users
or groups authorized to perform storage operations. For example,
backup files may contain metadata that lists the users that can
access the data contained in the backup file. Alternatively or
additionally, backup data that is indexed for searching may be
associated with metadata stored with the index to apply access
control information in response to search queries. For example, a
user that does not have permission to access a particular backup
data object may be prevented from receiving that data object in a
list of results from a search query, even though the backup data
object may satisfy the search criteria. Alternatively or
additionally, the user may be able to receive the data object in a
list of search results, but not be able to open or view the data
object. A data object could be a file system object (e.g., a file
or folder), an application data object (e.g., an email mailbox,
word processing document, etc.), or other object containing
data.
[0019] In some embodiments, the storage access control system
stores access control information as an Access Control List (ACL)
containing Access Control Entries (ACE). The ACL contains a list of
users and/or groups that are allowed to access a data object, type
of data object, or resource containing a data object. Each ACE may
specify a user, group, or other entity that has access to the data
object associated with the ACL. In some embodiments, an ACL may
contain a list of users or groups that are specifically denied
access to a data object. In this way, administrators can apply
access control rights in the manner that is most logical for their
organization. For example, if everyone in the accounting department
except User A should have access to a particular data object, then
an administrator may create an ACL associated with the data object
containing an ACE that allows access to the accounting department
group, and another ACE that denies access to User A. The ACL may
also contain Boolean operators that describe combinations of
permissions and users that should be applied to a data object.
[0020] When a user, system, or process attempts to access a data
object, such as to perform a storage operation on the data object,
the storage access control system accesses the ACL and associated
ACEs related to the data object to determine whether the user has
the appropriate access to perform the operation on the data object.
If the user has the appropriate access, then permission to perform
the operation is granted, and the operation proceeds. If the user
does not have the appropriate access, then the storage access
control system denies permission to perform the operation, and an
error or other information may be conveyed to the user indicating
that the operation was not performed.
[0021] In some embodiments, the storage access control system
further protects secondary copies of data, such as by encrypting
the data. This may be useful when the backup data is expected to be
stored offsite, such as by a public remote backup provider. The
data may be encrypted such that it can only be decrypted by those
users or groups with access to the original data. For example, the
data may be encrypted using a key that is associated with a
particular group of users that has access to the data. Users that
are not part of the group will not know or be associated with the
key and therefore will not be able to decrypt the data, while users
within the group will know the key and can decrypt and access the
data.
[0022] In some embodiments, the storage access control system
assigns access rights based on the content of or metadata
associated with a data object, such as by querying a content or
metadata indexing system. For example, some users may be denied
access to files that contain the word "confidential." An access
group of company executives can be granted exclusive access to
files that contain the term "board of directors." The system may
apply such content filtering to the data directly, or the system
can filter searches for data objects such that the search results
do not contain content to which the searching user has not been
granted the right to access.
Active Directory Integration for User Creation
[0023] In some embodiments, the storage access control system
provides a separate security infrastructure, but recognizes users
and groups created in the preexisting security infrastructure. For
example, server systems running Microsoft Windows often use Active
Directory or other systems to create users and groups and assign
access rights to those users and groups. The storage access control
system may allow creating a separate set of users and groups that
are assigned various storage operation rights. However, rather than
recreating each user from the Active Directory in the storage
access control system, the storage access control system may allow
adding an Active Directory user or group to a storage access
control system group. For example, when an Active Directory user is
added to a storage access control system group, the storage access
control system may query the Active Directory to determine
information about the user and the access rights associated with
the user. Thus, it is not necessary to give storage system
operators permissions to create new storage access control system
users, and it is not necessary to duplicate the users in both
security systems. Similarly, other preexisting security
infrastructures could be used with the storage access control
system.
[0024] The storage access control system may also retrieve other
information from the preexisting security system. For example, the
preexisting security system may maintain a list of computers
associated with a particular user, and the storage access control
system can grant the user access, for example, to backup computers
in that list. The preexisting security system may contain other
supplemental information, such as the user's email address that the
storage access control system may use, for example, to email the
user if a storage operation fails. The integration and connection
of the storage access control system with the preexisting security
system allows the storage access control system to provide a system
administrator with additional value in the administrator's
investment of time and resources in the preexisting security system
and reduces the need for a redundant investment of time and
resources in another security system.
Security-Based Queries and Access Filtering
[0025] In some embodiments, the storage access control system
provides an indexing and search facility that allows searching
based on keywords within backed up documents. The storage access
control system stores access control information for indexed files
and applies access control to search queries initiated by a user,
system, or process. For example, an administrator may be able to
search backup data for all users, whereas another user may only be
able to search her own backup data. Likewise, an executive of a
company may be able to search for and view content containing
sensitive business plans or trade secrets, but other employees may
not.
[0026] Such access control may be applied using ACLs and Active
Directory groups as described above. For example, a user with an
ACL on an original file that allows the user to view the file can
also view search results containing the file, whereas a user
without access to the original file cannot view the file by opening
it from a list of search results. Similarly, a user that is a
member of an Active Directory group that has access to a file will
have access to view search results containing the file. In this
way, an organization can leverage the investment in an existing
security infrastructure to provide similar security for content
accessible via a search facility.
Figures
[0027] Unless described otherwise below, aspects of the invention
may be practiced with conventional systems. Thus, the construction
and operation of the various blocks shown in FIG. 1 may be of
conventional design, and need not be described in further detail
herein to make and use the invention, because such blocks will be
understood by those skilled in the relevant art. One skilled in the
relevant art can readily make any modifications necessary to the
blocks in FIG. 1 (or other embodiments or Figures) based on the
detailed description provided herein.
[0028] FIG. 1 is a block diagram that illustrates components of the
storage access control system in one embodiment. The storage access
control system 100 contains a receive storage request component
110, a query preexisting security component 120, a set destination
security component 130, an index storage data component 140, a
search storage data component 150, a provide search results
component 160, and an apply content security component 170. The
receive storage request component 110 handles incoming storage
requests. For example, a storage request may include a request to
copy data from a source location to a destination location. The
query preexisting security component 120 queries access control
information from an existing security provider external to the
storage access control system. For example, files stored in an NTFS
file system contain or are otherwise associated with access control
information that specifies the users that are allowed to access the
file.
[0029] The set destination security component 130 applies access
control information identified from an external security provider
to data managed by the storage access control system. For example,
during a backup operation, access control information from a source
file is associated with secondary copies that store information
from the source file, such that a user has similar access rights to
the source file and the backup data. The index storage data
component 140 creates an index of storage data managed by the
storage access control system. For example, the system 100 can
maintain an index of data present in a set of files that have been
backed up.
[0030] The search storage data component 150 performs searches of
indexed storage data to identify matching data objects. The provide
search results component 160 prepares identified matching data
objects for display to a user. For example, data objects for which
the searching user does not have access rights may be removed from
the search results before the results are returned to the user. The
apply content security component 170 applies security to a data
object based on the content of the data object. For example, if a
user has not been granted access to documents containing the word
"confidential," then the apply content security component 170
prevents the user from accessing a document containing
"confidential."
[0031] FIG. 1 and the following discussion provide a brief, general
description of a suitable computing environment in which the
invention can be implemented. Although not required, aspects of the
invention are described in the general context of
computer-executable instructions, such as routines executed by a
general-purpose computer, e.g., a server computer, wireless device
or personal computer. Those skilled in the relevant art will
appreciate that the invention can be practiced with other
communications, data processing, or computer system configurations,
including: Internet appliances, hand-held devices (including
personal digital assistants (PDAs)), wearable computers, all manner
of cellular or mobile phones, multi-processor systems,
microprocessor-based or programmable consumer electronics, set-top
boxes, network PCs, mini-computers, mainframe computers, and the
like. Indeed, the terms "computer," "host," and "host computer" are
generally used interchangeably herein, and refer to any of the
above devices and systems, as well as any data processor.
[0032] Aspects of the invention can be embodied in a special
purpose computer or data processor that is specifically programmed,
configured, or constructed to perform one or more of the
computer-executable instructions explained in detail herein.
Aspects of the invention can also be practiced in distributed
computing environments where tasks or modules are performed by
remote processing devices, which are linked through a
communications network, such as a Local Area Network (LAN), Wide
Area Network (WAN), or the Internet. In a distributed computing
environment, program modules may be located in both local and
remote memory storage devices.
[0033] Aspects of the invention may be stored or distributed on
computer-readable media, including magnetically or optically
readable computer discs, hard-wired or preprogrammed chips (e.g.,
EEPROM semiconductor chips), nanotechnology memory, biological
memory, or other data storage media. Indeed, computer implemented
instructions, data structures, screen displays, and other data
under aspects of the invention may be distributed over the Internet
or over other networks (including wireless networks), on a
propagated signal on a propagation medium (e.g., an electromagnetic
wave(s), a sound wave, etc.) over a period of time, or they may be
provided on any analog or digital network (packet switched, circuit
switched, or other scheme). Those skilled in the relevant art will
recognize that portions of the invention reside on a server
computer, while corresponding portions reside on a client computer
such as a mobile or portable device, and thus, while certain
hardware platforms are described herein, aspects of the invention
are equally applicable to nodes on a network.
[0034] FIGS. 2-4 are representative flow diagrams that depict
processes used in some embodiments. These flow diagrams do not show
all functions or exchanges of data, but instead they provide an
understanding of commands and data exchanged under the system.
Those skilled in the relevant art will recognize that some
functions or exchange of commands and data may be repeated, varied,
omitted, or supplemented, and other (less important) aspects not
shown may be readily implemented.
[0035] FIG. 2 is a flow diagram that illustrates the processing of
the system to apply preexisting security to data objects in one
embodiment. These steps are invoked when a storage operation is
performed that results in data being moved or copied from a source
location to a destination location. In step 210, the system
receives a storage operation, such as a request to copy data from a
source location to a destination location. In step 220, the system
queries the source location for access control information. For
example, if the source information is a file, then the storage
access control system queries access control information from the
file system. In step 230, if the access control information
indicates that the requestor of the storage operation has
permission to perform the operation, then the system performs the
requested storage operation. For example, if the operation is a
backup, then the system backs up data from the source location to
the destination location. In step 240, the system applies the
access control information to the destination data objects, such as
backup files or folders. Access control information captured from a
file system may be stored as metadata in a content indexing system
that controls access to secondary copies of the source data. For
example, ACLs and ACEs associated with files may be stored in the
content indexing system or otherwise associated with secondary
copies of the files. After step 240, these steps conclude.
[0036] FIG. 3 is a flow diagram that illustrates the processing of
the system to perform a secure search in one embodiment. These
steps are invoked when a user attempts to search for data objects
matching specified criteria. In step 310, the system receives a
search query specifying the criteria (e.g., of the data objects)
for which the user is searching. For example, the criteria may
contain a file name or the contents of a file that the user is
seeking. In step 320, the system searches one or more data stores
or an index of content of the data stores using the received query.
The system may only search certain data stores based on the access
permitted to the user. The data store may be a destination location
where the data objects were copied following a storage operation,
or the data store may contain metadata about the data objects,
which may be stored elsewhere. In step 330, the system identifies
matching data object entries in the data store that satisfy the
received search criteria. In step 340, the system applies access
control settings to the search results. For example, certain users
may not have access to documents from a certain location or
containing certain keywords. As another example, the access control
information may be used to decrypt an encrypted search result. The
system may perform the search in two passes. During the first pass,
the system performs a coarse search in which all data stores to
which the user has accessed are searched to create a list of search
results. During the second pass, a finer grained search of the
individual results is performed to determine which search results
the user has access to receive. Search results that the user does
not have access to receive may be removed or replaced with a no
access indicator (e.g., an icon) before the search results are
displayed to the user. In step 350, the system provides the search
results to the querying user. After step 350, these steps
conclude.
[0037] FIG. 4 is a flow diagram that illustrates the processing of
the system to migrate users or security information associated with
users from a preexisting security infrastructure to a storage
application (or component) in one embodiment. These steps are
invoked when, for example, an administrator manages storage access
control for a storage application. In step 410, the system creates
a group within the storage application. For example, the
administrator may create a group of users called "Backup Users"
that have the necessary access rights to perform a backup of
certain data within the system. Alternatively, the system may
import whole groups from the preexisting security infrastructure
and assign access rights to the groups and entities within the
groups. In step 420, the system identifies preexisting users that
are external to the storage application. For example, an
administrator may have previously defined the users in the Windows
Active Directory or in another external security component.
[0038] In step 430, the system adds the external users to the
storage application group, such that the storage application group
contains users that were not created using the storage application.
For example, a user "Bob Jones" created in the Active Directory may
be added to a group "System Administrators" within the storage
application. The external users may also be user groups, such that
group previously created by the administrator using Windows Active
Directory is added to the storage application group. In step 440,
the system applies the access control rights of the storage
application group to the added external users. The system is more
secure than traditional systems because each administrator is not
given access to create new users within the storage application. By
allowing an administrator to add external users to the storage
application, the system does not need to allow most administrators
to have the access rights necessary to create new users within the
storage application. For example, an administrator may only be able
to add existing users or groups to the storage application. Thus,
an administrator of the preexisting security system can restrict
the entities to which an administrator of the storage application
can assign rights. Storage system administrators often have access
to some of a corporation's most important data, so the ability to
control which users can perform storage operations can
significantly enhance data security. After step 440, these steps
conclude.
[0039] FIG. 5 is a data structure diagram that illustrates access
control information metadata that may be stored with storage data
in one embodiment. The data structure 500 contains a security
descriptor 510 and secondary data 550. The security descriptor 510
contains an access control list 520 that specifies the entities
that have access to the backup data. The security descriptor 510
may contain multiple access control lists that define different
types of access such as read, write, or execute permissions. The
access control list 510 contains access control entries ACE1 and
ACE2 (shown with respective reference numerals 530 and 540). Each
access control entry refers to a different entity, such as a user,
group, resource, or other entity, that has some type of access or
lack of access to the secondary data 550. Alternatively or
additionally, the access control entries 530 and 540 may specify
different entries that are denied access to the secondary data 550.
The security descriptor 510 may contain other information such as
keywords that members of the specified access control list have
access rights to. For example, the security descriptor 510 may
indicate that a particular entity does not have access to documents
containing the keyword "confidential."
CONCLUSION
[0040] From the foregoing, it will be appreciated that specific
embodiments of the storage access control system have been
described herein for purposes of illustration, but that various
modifications may be made without deviating from the spirit and
scope of the invention. For example, although certain preexisting
security systems have been described, the storage access control
system is compatible with any preexisting security system, such as
Linux Kerberos, Lightweight Directory Access Protocol (LDAP)-based
systems, and others. Although backups have been described, the
storage access control system can be applied to other storage
operations such as migrating data from one system to another.
Accordingly, the invention is not limited except as by the appended
claims.
[0041] Unless the context clearly requires otherwise, throughout
the description and the claims, the words "comprise," "comprising,"
and the like are to be construed in an inclusive sense, as opposed
to an exclusive or exhaustive sense; that is to say, in the sense
of "including, but not limited to." The word "coupled", as
generally used herein, refers to two or more elements that may be
either directly connected, or connected by way of one or more
intermediate elements. Additionally, the words "herein," "above,"
"below," and words of similar import, when used in this
application, shall refer to this application as a whole and not to
any particular portions of this application. Where the context
permits, words in the above Detailed Description using the singular
or plural number may also include the plural or singular number
respectively. The word "or" in reference to a list of two or more
items, that word covers all of the following interpretations of the
word: any of the items in the list, all of the items in the list,
and any combination of the items in the list.
[0042] The above detailed description of embodiments of the
invention is not intended to be exhaustive or to limit the
invention to the precise form disclosed above. While specific
embodiments of, and examples for, the invention are described above
for illustrative purposes, various equivalent modifications are
possible within the scope of the invention, as those skilled in the
relevant art will recognize. For example, while processes or blocks
are presented in a given order, alternative embodiments may perform
routines having steps, or employ systems having blocks, in a
different order, and some processes or blocks may be deleted,
moved, added, subdivided, combined, and/or modified. Each of these
processes or blocks may be implemented in a variety of different
ways. Also, while processes or blocks are at times shown as being
performed in series, these processes or blocks may instead be
performed in parallel, or may be performed at different times.
[0043] The teachings of the invention provided herein can be
applied to other systems, not necessarily the system described
above. The elements and acts of the various embodiments described
above can be combined to provide further embodiments.
[0044] These and other changes can be made to the invention in
light of the above Detailed Description. While the above
description details certain embodiments of the invention and
describes the best mode contemplated, no matter how detailed the
above appears in text, the invention can be practiced in many ways.
Details of the system may vary considerably in implementation
details, while still being encompassed by the invention disclosed
herein. As noted above, particular terminology used when describing
certain features or aspects of the invention should not be taken to
imply that the terminology is being redefined herein to be
restricted to any specific characteristics, features, or aspects of
the invention with which that terminology is associated. In
general, the terms used in the following claims should not be
construed to limit the invention to the specific embodiments
disclosed in the specification, unless the above Detailed
Description section explicitly defines such terms. Accordingly, the
actual scope of the invention encompasses not only the disclosed
embodiments, but also all equivalent ways of practicing or
implementing the invention under the claims.
[0045] While certain aspects of the invention are presented below
in certain claim forms, the inventors contemplate the various
aspects of the invention in any number of claim forms. For example,
while only one aspect of the invention is recited as embodied in a
computer-readable medium, other aspects may likewise be embodied in
a computer-readable medium. Accordingly, the inventors reserve the
right to add additional claims after filing the application to
pursue such additional claim forms for other aspects of the
invention.
* * * * *