JP2002259214A - Controlling access to storage device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a method and a device for giving control system call access to a data storage device. SOLUTION: A plurality of groups are defined, and a plurality of action types and corresponding levels of authorization are defined for each of the groups. As for a subset of the action types, a plurality of devices on which corresponding actions may be performed are defined, wherein at least some of the devices correspond to portions of a data storage device 22 to determine authorization for a requested action for the at least one of the groups. If the action corresponds to one of the devices, authorization is determined by examining the levels of authorization for action types corresponding to the at least one group and by examining the plurality of devices corresponding to the requested action. If the action does not correspond to one of the devices, authorization is determined by examining the levels of authorization for action types corresponding to the at least one group.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to the field of computer data storage, and more particularly to the field of configuring control system call access to data storage.

[0002]

2. Description of the Related Art A host system is capable of storing and retrieving data using a data storage device including a plurality of host interface units (ports), and the host interface unit has an internal memory provided in the data storage device. It can communicate with a storage mechanism to store and retrieve data. Such data storage devices are provided, for example, by EMC Corporation of Hopkinton, Mass. And are disclosed in U.S. Pat.
No. 6,939, Galtzur et al. U.S. Pat.No. 5,778,394, Vi
No. 5,845,147 to shlitzky et al. and US Pat. No. 5,857,208 to Ofek.

[0003] Host systems may be given limited access to certain parts of the internal storage,
The access can include “system calls” that cause the data storage to perform management-like operations (eg, auto-mirror, copy, backup), reading and writing data. System calls do not directly read or write data. But even so,
A system call can cause one of the user host systems to indirectly access data assigned to another host system. In addition, remote system calls can be issued to the storage element through a remote storage device (eg, in a disaster recovery situation) or through a fabric port.

[0004]

The use of system calls to provide unintended indirect access for one host system to memory resources allocated to another host system is a problem for all host systems. The problem is that if the entire storage device is controlled by a single entity that can coordinate access between different groups within that entity (ie, all are owned and operated by a single enterprise). Does not. However, if not all host systems are controlled by a single entity (e.g., multiple different small businesses share one data storage device), and different groups of the same company may be uncoordinated Using a system call to allow such indirect access of internal storage functions when accessing a host system at a particular time, particularly when the data storage device is one or more entities and / or one within a single entity It is not desirable to include the confidential data of the above groups. Further, in a configuration where the storage device is connected to the additional storage device and provides a backup service therefor, it is not desirable to allow unintended access to data by a system call.

[0005]

According to the present invention, the control of the storage device includes defining at least one group that accesses the storage device, at least one of the devices of the storage device.
Specifying one pool, specifying multiple access types, and for at least one group,
At least one for at least one of the access types
Determining access rights for one pool. The access type can include a system call. At least one group and at least one pool can include logical or physical units. At least one pool may include a communication port of the storage device. The access right can indicate whether a system call is allowed on the communication port.

Further, according to the present invention, access to the storage device is restricted by connecting each of a plurality of host systems to the storage device by one of a plurality of ports provided in the storage device, Selectively determining whether the system call is acceptable for
For a port for which a system call is not permitted, a system call by the host system connected to the port causes the storage device to indicate that the system call was not executed. Restricting access also includes providing a mechanism to control whether a port can tolerate system calls. Providing the mechanism includes providing an external controller connected to the storage device. The external control device can function as a dumb terminal that transmits a character to the storage device and receives a character from the storage device.

[0007] Access restrictions also include providing an override mechanism that allows system calls on ports that do not allow system calls. Also, the override mechanism can prevent system calls on ports that allow system calls. Access restrictions also include resetting the override mechanism after a predetermined amount of time has elapsed since the mechanism was set. The predetermined amount of time can be 30 minutes. Restricting access also includes providing an external controller that facilitates setting the override mechanism. Providing an external control device includes providing a dumb terminal that transmits characters to the storage device and receives characters from the storage device.

Further, according to the present invention, the port of the storage device includes means for receiving data provided to the storage device, means for transmitting data from the storage device, and means for inhibiting a system call provided to the port. And the system call includes a request for a management operation for a storage device that does not transmit and receive data.

Further in accordance with the present invention, computer software for controlling a port on the storage device is connected to the means for communicating with the storage device and the means for communicating so that the port does not receive the provided system command. Control means for providing a command to the storage device, wherein the system command includes a request for a management operation by the storage device.

Further according to the present invention, an apparatus for controlling a port on a storage device is connected to the port and processes data communication with the storage device, a port driver connected to the port driver, and a security configuration data element. A security module that controls data communicated by the port driver based on the override display data element. The device can also include a security configuration control module connected to the security configuration data element and controlling its state. The apparatus may also include a disk configuration data element connected to the security configuration control module, wherein the security configuration control module controls the state of the security configuration data element according to the state of the disk configuration data element. The apparatus also includes an external interface module connected to the disk configuration data element for controlling its state, the external interface module receiving command data provided to the storage device. An external module can be connected to the override display data element and control its state. The device may also include a counter module connected to the override display data element and controlling its state according to the amount of elapsed time.

Further, according to the present invention, determining whether to execute the system command received at the port of the storage device includes determining whether the open override is set, and determining whether the port control data is Determining whether or not it is present, and determining whether the port control data indicates that the system call is permitted, and determining whether the system call is permitted, and setting the port control data, indicating that the system call is permitted. Executing a system call in response to at least one of the nonexistent port control data. Also, determining whether to execute the system command includes determining whether a close override has been set and at least one of port control data indicating that the close override during the setting and the system call are not allowed. Rejecting system calls in response to
Can be included.

Further in accordance with the present invention, a method of controlling a data storage device includes providing at least one requestor for accessing the storage device, providing at least one pool of devices for the data storage device, Providing multiple access types and at least one of a pool of devices
Determining whether, for one device, a request by a requestor of at least one requesting group has been granted, the device is the subject of the request. The access type may include at least one of a mirror, copy, backup, split, and tracking system calls. The access type may further include reading and writing data. At least one
One group and at least one pool have a unique ID
It may include at least one logical unit including a number and a physical unit. The at least one pool can include at least one of a communication port of the data storage device and a portion of the memory of the data storage device. The pool may include a communication port, and the access right indicates whether a system call has been granted on the communication port. The pool may include a portion of memory, and the access rights indicate at least one of read and write access to the section.

Further in accordance with the present invention, a method for controlling access to a data storage device comprises providing, for each requester having access to the data storage device, a requester identification number that uniquely identifies each requester. Dividing the memory of the data storage device into a plurality of memory segments, defining an identification number for each segment, reading,
Providing a plurality of request types, including at least one of write, mirror, copy, backup, split, and tracking system calls, wherein a request of a selected type to a selected memory segment according to a requester identification number; Granting the requester the selected type of request access to the selected one of the plurality of memory segments only if the requester identification number database indicates that it has been granted. The access control method can include issuing an access request negative indication if the database indicates that the identification number is not allowed for a particular type of access to a particular memory segment. The override memory location can store at least one of a path override condition, a reject override condition, and a no override condition. Prior to reviewing the database, the override memory location is checked and the request can be granted if the path override condition is stored. The value stored in the override memory location can return without override after a specified time. The designated time can be 30 minutes. Prior to reviewing the database, the override memory location may be checked and the request rejected if a reject override condition is stored. A plurality of memory segments can be grouped into a pool of devices, and allowing a requester a selected type of requested access examines a particular one of a pool of devices corresponding to the selected memory segment. Can be included.

Further, according to the present invention, a method for controlling access to a data storage device includes reading data from a specific portion of the data storage device, writing data to a specific portion of the data storage device, Issuing at least one request for data backup, data mirroring, data copying from a particular portion of the data storage device, partitioning of the data storage device volume, and tracking changes to the data storage device volume. Providing at least one group of requesting devices from the plurality of requesting devices accessing the data storage device; providing a pool of a plurality of memory resources from the plurality of individually addressable memory resources of the data storage device; Before accessing the memory, the control logic of the data storage Providing click includes the from one request of the plurality of requesting device to access the at least one memory resource of the plurality of pools to determine whether acceptable, the. The override memory location can store one of a path override condition, a reject override condition, and a no override condition. Prior to reviewing the database, the override memory location can be checked and the request can be granted if path override conditions are stored. The value stored in the override memory location can return to the no override condition after a specific time. The specific time can be 30 minutes. The override memory location can be checked before reviewing the database, and the request can be denied if a reject override condition is stored. The access level for the group corresponding to the requester can be set to provide an access level lower than the access level set for any member of the requesting group. The access level of the group can be examined before the access level of the requester, and if the access to the group is permitted, the access level of the requester is not checked. The pool of memory resources can allow more access levels than the access levels set for every member of the pool. The access level of the pool can be examined before the access level of the memory segment. If access to the pool is not permitted, the access level of the memory segment is not checked.

Further, according to the present invention, a method for controlling access to a data storage device includes associating an ID number identifying at least one of a request source having access to a storage element and a group to which the request source belongs; Determining if the requested type of access operation to at least a portion of the data storage device has been granted to the requestor according to the information, the access information comprising: a requester ID number, a group ID. It includes one or more access operations associated with at least one of a number, a password corresponding to the requester, and a password corresponding to the group. The access operation may include at least one of backup, mirror, copy, split, and track. The access operation may include at least one of data reading and data writing. As the access information, only one of the request source ID number, the group ID number, the password corresponding to the request source, and the password corresponding to the group can be used. The access information may use a combination of the requester ID number and the group ID number. The access information may use a combination of a group ID number and at least one of a password corresponding to the requester and a password corresponding to the group. As the access information, a combination of a group ID number and a password corresponding to the group can be used.

According to the present invention, there is further provided a method for controlling access to a data storage device, comprising: a request source having access to a storage element;
Associating a password identifying the one with the other and determining, according to the access information, whether a requester has been granted a requested type of access operation to at least a portion of the data storage device; The access information includes one or more access operations associated with the password. Access operations include backup, mirror, copy,
At least one of a split and a track may be included. The access operation may include at least one of data reading and data writing. The password can correspond to the requestor or group.

[0017] With such an arrangement, the computer system's access to data storage resources, particularly shared resources, whether centralized or distributed, may be unauthorized control, access or storage resource re-authorization. Control can be provided to prevent configuration changes from occurring in the selected pool of memory storage devices. Such fine-grained control of access permissions allows an efficient method between separate and distinct groups of users without losing control over who has access to sensitive data and without losing control of memory organization. Enables sharing of memory storage resources. In some systems, only a limited set of system administration is required to make the portion of data storage available into a resource pool with controlled access from a host computer system or group of other users. You can have access permissions. System management can group individual memory resource elements into various memory device pools, each pool having different levels of system call access to each individual one of the requesting host systems or groups of host systems. Having. Thus, the described configuration has a simple but flexible way to control access to a group of memory resources by a large group of host systems and users while satisfying the requirements of different host environments and desired memory configurations. Provide a way.

The host system requesting memory system access (ie, the requestor) can be a separate large computer system, each separate from a plurality of real-time or batch users, a main memory through a local area network. A workgroup of a personal computer connected to, or other data storage device performing a routine backup storage function,
Or it has a number of other known electronic devices that can be connected to a data storage device. The data storage device may be set up using a large array of individual magnetic memory disks, an addressable portion of a large mass storage disk, a semiconductor memory, a communication access port of a memory system, or any of a number of known forms of data storage devices. Can be.

The described embodiment describes the ID of each host system that can request access to the memory, the ID of each available memory element, and what type of access each host ID is allowed in each memory element. Or limited access to select memory portions based on a matrix containing The requester ID is an existing host computer system hardware ID, a user password or group password in a multi-computer system, a fiber channel world wide name, a URL in an Internet access configuration, a unique random access number assigned by a memory system, and a default value. Alternatively, any number that can function to identify the requesting device for the purpose of checking for acceptable access to the memory segment addressed by the request can be created. Such a check is performed by comparing the ID against a database of acceptable requestors of the addressed memory, typically in the form of a matrix.
For example, a large host computer system having a hardware ID of 111 AAA2 has ten terminals and five terminals.
There can be zero authorized user accounts. 5
If all zero users have been granted access to each portion of the centralized memory by the host system administrator, simply allow access according to the ID number of the particular memory access port that connects the storage system to the host computer system. More appropriate access can be obtained. However, if 50 users belong to 5 different workgroups, and each group does not want their data storage to be affected by the actions of the other 4 workgroups, then access will be available to all 50 users. This can be tolerated by a combination of a hardware ID that provides access to a common shared memory section and an individual user password that provides increased access to certain portions of the memory area allocated to the large host computer. Another example is
It is a large memory system accessible through the Internet. The specific memory resources that can be addressed by each of a number of computers connected to the Internet, from any type of no access, to the requesting UR
Depending on the ID number of the memory section granted by L or, alternatively, the assigned access ID number, the system call access to the addressed memory section is completed.

The described method can be used to address addressed memory elements or sections ranging from read only no access to system calls such as copy or mirror, or any level of system administrator access defined and included in the access control logic. All levels of requester access. Multiple requesters can have different levels of access to the same memory element, and the requestor can have multiple convenient requester groups with a unique group ID number and defined access to a particular memory element. Can be grouped into In embodiments where IDs are assigned to both the group and the requestor, the group ID corresponds to the level of access to the device pool that is less than or equal to the minimum access level that any individual member of the group has with respect to the device pool. Such an arrangement allows access to authorized requests to be granted more quickly. Because, the access control logic memory to search to find the group ID and determine the allowable access restrictions will be smaller than for each individual requestor.

Similarly, a plurality of memory elements can be grouped into a memory device and a predetermined pool ID number. The memory element can be a separate magnetic disk, a portion of a disk, a group of connected disks, a semiconductor memory such as a cache, or a communication port that connects a data storage device to a requestor or host computer system. In some systems, the pool allows more access to the requester ID than any one pool member, so if the requester is found not to have sufficient access to address the pool, further searching is No, efficiency and access speed are improved.

Further according to the invention, determining the permission of the action comprises defining a plurality of groups;
Defining, for each group, a plurality of action types and corresponding permission levels; and, for at least a subset of the action types, defining a plurality of devices for performing the corresponding actions, wherein at least some devices Responsive to a portion of the data storage device and determining permission for the requested action for at least one group, wherein at least one group is provided if the action corresponds to one of the devices. The permission is determined by examining the permission level for the action type corresponding to and at least one group if the action does not correspond to one of the devices by examining a plurality of devices corresponding to the requested action. Permission level for the action type to perform Permissions are determined by examining. Action types can include system calls to data storage. The at least one device may include at least one disk storage area of a data storage device. The at least one device may include a communication port of the data storage device. The action type may indicate whether a system call is allowed on the communication port. For the requested action allowed, a tag can be returned that can be used with subsequent requests to perform the action.

Further in accordance with the present invention, determining permission for an action includes determining whether the requestor is included in the requestor list and determining whether the requested action is an action type associated with the requestor. Determining whether it is included in the list, and if the action uses at least one device, whether at least one device is included in the device list associated with the requester and the requested action; And the device list includes at least some devices associated with the data storage device. Also, determining authorization may include using a default requestor from the requestor list if the requester is not included in the requester list.
Determining permission may also include denying permission if the requester is not included in the requestor list. Also, determining authorization includes authorizing the action if the requested action does not use at least one device and the requested action is included in a list of action types associated with the requestor. be able to. At least some of the action types may not correspond to actions performed on the data storage device. Action types can include system calls to data storage. The at least one device may include at least one disk storage area of a data storage device. The at least one device may include a communication port of the data storage device. The action type may indicate whether a system call is allowed on the communication port. Also, determining authorization can include, for an authorized requested action, returning a usable tag in connection with a subsequent request to perform the action.

Further according to the invention, an apparatus for determining permission of an action includes means for defining a plurality of groups,
Means for defining, for each group, a plurality of action types and corresponding permission levels, and means for defining, for at least a subset of the action types, a plurality of devices for performing the corresponding actions, wherein at least some devices Comprises means corresponding to a portion of the data storage device, and means for determining permission for a requested action for at least one group, wherein at least one of the actions corresponds to one of the devices. The permission is determined by examining a permission level for an action type corresponding to the group, and examining a plurality of devices corresponding to the requested action, and if the action does not correspond to one of the devices, the at least one group Permission level for the action type corresponding to Permissions are determined by examining the Le. Action types can include system calls to data storage. The at least one device may include at least one disk storage area of a data storage device. The at least one device may include a communication port of the data storage device. The action type may indicate whether a system call is allowed on the communication port. For a requested action that is authorized, the device can return a tag that can be used for subsequent requests to perform the action.

Further in accordance with the present invention, an apparatus for determining permission to an action includes means for determining whether the requester is included in the requestor list, and means for determining whether the requested action is an action type associated with the requestor. Means for determining if it is included in the list and at least one action
Means for determining whether at least one device is included in the device list associated with the requester and the requested action, when using two devices, wherein the device list is associated with the data storage device. Including at least some devices. The apparatus may also include means for using the default requester from the requester list if the requester is not included in the requester list. The device may also include means for denying permission if the requester is not included in the requestor list. The device may also include means for allowing the action if the requested action does not use the at least one device and the requested action is included in a list of action types associated with the requestor. . At least some of the action types may not correspond to actions performed on the data storage device. Action types can include system calls to data storage. At least one device comprises:
The data storage device may include at least one disk storage area. The at least one device may include a communication port of the data storage device. The action type may indicate whether a system call is allowed on the communication port. Also, the device may include, for the requested requested action, means for returning a tag that can be used in connection with a subsequent request to perform the action.

Further, according to the present invention, in computer software for determining permission of an action, an executable code defining a plurality of groups, a plurality of action types and a corresponding permission level are defined for each group. Executable code and, at least for a subset of the action types, executable code defining a plurality of devices that perform corresponding actions, at least some devices corresponding to portions of the data storage device. An action type corresponding to at least one group if the action corresponds to one of the devices, comprising: an executable code for determining permission for a requested action for at least one group; Checking permission levels for The permission is determined by examining the plurality of devices corresponding to the requested action, and if the action does not correspond to one of the devices, the permission is determined by examining the permission level for the action type corresponding to at least one group. It is determined. Action types can include system calls to data storage. The at least one device may include at least one disk storage area of a data storage device.
The at least one device may include a communication port of the data storage device. The action type may indicate whether a system call is allowed on the communication port. For the requested action allowed,
It may have executable code that returns a tag that can be used for a subsequent request to perform an action.

Further according to the present invention, in computer software for determining permission to an action,
Executable code to determine whether the requester is included in the requestor list and executable code to determine whether the requested action is included in the list of action types associated with the requestor , Action is at least 1
Executable code for determining whether at least one device is included in the device list associated with the requester and the requested action when using one device, the device list comprising data storage. At least some devices associated with the device. The computer software may have executable code that uses a default requester from the requester list if the requester is not included in the requester list. The computer software may have executable code that denies permission if the requester is not included in the requestor list. The computer software further comprises executable code for permitting the requested action if the requested action does not use at least one device, and the requested action is included in a list of action types associated with the requestor. be able to. At least some of the action types may not correspond to actions performed on the data storage device.
Action types can include system calls to data storage. The at least one device may include at least one disk storage area of a data storage device. The at least one device may include a communication port of the data storage device. The action type may indicate whether a system call is allowed on the communication port. The computer software may have executable code that returns, for an authorized requested action, a tag that can be used in connection with a subsequent request to perform the action.

[0028]

DETAILED DESCRIPTION OF THE INVENTION Referring to FIG.
Includes a data storage device 22 capable of storing data for a plurality of host systems connected through a data connection (not shown). A host system can include one or more host processors or other data storage devices. Data storage 22 may be implemented using Symmetrix storage manufactured by EMC Corporation of Hopkinton, Mass., Or other types of data storage capable of providing the functionality described herein.

The data storage device 22 is illustrated as being divided into a plurality of sections 24-26, each section being connected to one of the host systems connected thereto (eg,
2 illustrates some of the resources of the data storage device 22 accessed by the host processor or another data storage device. These resources include, for example, a portion of the internal memory of the data storage device 22.

External control unit 28 can be connected to data storage unit 22 and control its operation in a conventional manner. The external controller 28 can be implemented using the Symmetrix Symm Win function, which is provided by EMC Corporation of Hopkinton, Mass., And is compatible with conventional computer workstations and workstations. Other suitable software to facilitate connection and communication with the data storage device 22 and software for operation on hardware. In some embodiments, external control device 28 operates like a dumb terminal that communicates with data storage device 22 using conventional software provided for that purpose.
The operation performed by the external control device 28 will be described later in detail.

Data storage device 22 also has a plurality of external ports 34-36, which provide communication to a host system connected to storage device 22. Port 34 ~
36 allows the host system to store data in the data storage device 22 and retrieve data from the data storage device 22. Each port 34-36 handles communication for one of the host systems connected to data storage device 22.

A host system connected to the data storage device 22 can control the data storage device 22,
Access and use of sections 24-26 of data storage device 22 can be controlled by using management-like system calls that can be provided through ports 34-36. In fact, such a system call can control the configuration and operation of the data storage device 22. In some embodiments, although some system calls may indirectly affect data stored in data storage 22 as described above, system calls are simply sent to ports 34-36. Is distinct from calls that read and write.

In the case where the data storage device 22 and all the host systems connected to it are controlled by a single entity, system calls to the host system that may affect access by one of the other host systems are made. Getting it done is easy. However, in instances where the host system may be controlled by different entities or different groups within the same entity, sections 24 of data storage 22 assigned to another host system controlled by a different entity.
It can be problematic to allow one host system to make system calls that can affect one of. In other words, system calls made by host systems controlled by different entities can conflict.

To handle such a situation, some or all of ports 34-36 of data storage device 22 may be accessed by a system call from a host system (or any other device therefor) connected thereto. Can be configured to not accept. Restricting system calls on some or all of ports 34-36 is not a problem because system calls can alter the configuration and access scheme of data storage device 22.
Prohibits a host system connected to it from accessing resources allocated to another host system. Thus, for example, if section 24 indicates the storage memory allocated to the host system connected to port 34 and section 25 indicates the storage memory allocated to the host system connected to port 35, then ports 34, 35 Prohibiting the system call at prevents the host system connected to the port, for example, from illegally accessing the section 25 of the storage memory allocated to the host system connected to the port. As described in more detail below, the configuration and assignment of functions performed by system calls
It can be performed only by the external controller 28, or only by a subset of the host system connected to the external controller and ports 34-36.

Referring to FIG. 2, system 40 illustrates an arrangement in which another data storage device is connected to another storage device. The system 40 includes the first data storage device 4
2, a second data storage device 44, and a third data storage device 50. First data storage device 42 is connected to third data storage device 50 through port 52.
The second data storage device 44 is connected to the third data storage device 50 through the port 54.

The system 40 shown in FIG. 2 can, for example, represent a third party data backup scheme, wherein a first entity controls a first data storage device 42 and a second unrelated entity is a second unrelated entity. Controls the second data storage device 44, and both the first and second entities obtain data backup services from the third entity that controls the data storage device 50. In some examples, data storage device 50 is provided at a location remote from the location of first and second data storage devices 42,44. In such an arrangement, system calls at ports 52 and 54 are inhibited, and data storage 42 connected to port 52 is allocated to data storage 50 assigned to use by data storage 44 connected to port 54. It is beneficial to prevent access to the part of. Similarly, the system call at the port 54 is prohibited, and the data storage device 44
It is desirable to prevent access to the portion of the data storage device 50 that is allocated for use by the. The mechanism for inhibiting such access is described in more detail below.

Referring to FIG. 3, data flow diagram 60
Shows the operation of software that handles communications and system calls that are enabled and disabled on ports 34-36 of data storage device 22. The port driver 62 receives the data provided to the data storage device 22 through the port 34 and supplies the data from the data storage device 22 to the host system (not shown) connected thereto through the port 34. Port 34 provides communication between the host system and data storage device 22.
Flow diagram 60 shows only one port 34 and a corresponding one port driver to facilitate the following description. However, it will be understood by those skilled in the art that the functionality described herein may be extended to any or all of ports 34-36 of data storage device 22.

The port driver 62 is connected to the security module 64 so that all data input to and output from the data storage device 22 through the port 34 are controlled by the security module 64. Thus, as shown in FIG.
Is the data storage device 2 to provide its normal functions.
2 including the connection with the rest. However, as will be described in more detail below, the security module 64 may prohibit the transmission of data and / or system calls to and from the data storage device 22 under certain circumstances. The operation of security module 64 is described in more detail below.

The security module 64 is provided with security configuration information from a security configuration data element 66. As will be described in more detail below, security configuration data element 66 controls the operation of security module 64 and thus controls the data provided to and from port driver 62. The security module 64 also includes an override indicator data element 6
7, the override indicator data element 67 also controls the operation of the security module 64. Security configuration control module 68 controls the contents of security configuration data element 66 to indicate the type of access allowed at port 34 through port driver 62. Security configuration control module 68
Can provide data indicating whether the system call was accepted by the port driver 62 and subsequently processed by the rest of the data storage device 22.

In some embodiments, the override indicator data element 67 includes one variable for each port 34-36, where each variable indicates one of no override, open override, and closed override3. Takes one of two values. The open override value is set for ports 34-36 regardless of the setting in security configuration data element 66.
Indicate that the corresponding one of the two accepts the system call. Similarly, the close override value indicates that the corresponding one of the ports 34-36 will not accept system calls, regardless of the setting in the security configuration data element 66.

The security configuration control module 68 includes:
Data is obtained from a disk configuration data element 70 stored in an internal non-volatile area of the data storage device 22 (for example, provided in a part of a disk space used for general control of the data storage device 22). The disk configuration data element 70 is connected to the ports 34 to 36 of the data storage device 22.
Contains information on the type of access allowed for each.

The external interface module 72 includes conventional software for communicating with the external controller 28. The external interface module 72 modifies the disk configuration data element 70 to
Provides a mechanism to indicate the type of access provided to each of the ports 34-36. As described in more detail below, the external interface module 72
Can provide a mechanism for overriding the data in the security configuration data element 66 by writing to the override indicator data element 67. The override can be permanent or can be set to a predetermined amount of time, such as 30 minutes. If the override is set to a predetermined amount of time, the counter module 74 interacts with the override indicator data element 67 to
Reset the override after that time. The mechanism for this will be described later in detail.

Referring to FIG. 4, a flowchart 80 illustrates the operation of the system described herein. In a first test step 82, it is determined whether an open override has been set. An open override occurs when a user of the external controller 28 with appropriate access security indicates that it is desired to override the default settings for one or more of the ports 34-36. If so, the user accordingly responds to the external interface module 72
To access the override display data element 67. In one embodiment, the open override can be set by a user with system control security, and can only exist for a predetermined amount of time since it was set. The time limit can be implemented in a conventional manner by the counter module 74 of FIG. 3, which counts a predetermined amount of time (e.g., 30 minutes) after the open override has been set, and an appropriate amount of time after the predetermined amount of time. Provide a reset to indicate no override.

If it is determined in test step 82 that an open override has been set, then control passes from test step 82 to step 84, where the required system call is executed at that port (ie, , A system call is sent to the rest of data storage 22). Regardless of any other configuration settings for port 34, if an open override is set, all system calls provided to port 34 will be executed as long as the open override remains valid.

If it is determined in step 82 that no open override has been set, then control passes from test step 82 to test step 86, where it is determined whether a close override has been set. As with the open override, the fact that the close override is set
Regardless of any other settings for port 34,
Indicates that system calls are not allowed on the port as long as the close override remains valid. Also, similar to the open override, the close override can be set for a predetermined amount of time, eg, 30 minutes, and then reset using the counter module 74.

If it is determined in step 86 that the close override has been set, then control passes from test step 86 to step 88, where the system call requested by the host system connected to port 34 is Will be rejected. Rejecting the system call at step 88 does not perform the action dictated by the system call, but includes returning a code indicating that the system call was rejected to the requesting host system.

Following test step 86 is test step 90, which determines whether configuration information exists for the port. In some embodiments, security configuration data element 66 may be completely removed (or, alternatively, security configuration data element 66 may not be created first), in which case it is assumed that security does not exist, Therefore, all system calls can be requested from any of the ports 34 to 36. Thus, if it is determined in test step 90 that there is no configuration information (ie, there is no security configuration data element 66), control proceeds from test step 90 to step 84, where a system call is executed.

If it is determined in test step 90 that there is configuration data (ie, security configuration data element 66 is present), control transfers from test step 90 to test step 92, where the configuration information is examined.
It is determined whether a system call can be requested through port 34. This can be indicated in security configuration data element 66 by any one of a variety of conventional methods, which include a Boolean for each port that indicates whether a system call was allowed on each port. Including having variables (flags). If it is determined in test step 92 that the system call is not allowed, then control is passed from step 92 to step 88
To where the requested system call is rejected as described above. Instead, if it is determined in step 92 that the system call has been accepted, then control proceeds from test step 92 to step 84, where the system call is executed.

[0049] Generalize the approach described herein to state that operations can be performed and resources allocated based on the identity of the requesting information (ie, the identity of the host system). deep. Thus, a particular access type or permission may be provided to the requesting identifier (or requesting group) to perform a particular operation, or a particular device or a pool of particular devices (eg, a device's pool). The method can be generalized as providing a mechanism for providing a set. Thus, rather than simply restricting system calls on a port-by-port basis, specific host systems (or groups of host systems) that are or are not allowed to make system calls on any of the ports (or pools of ports) It is enough to show.
In addition, such a generalized scheme can be used to selectively assign access to memory locations (eg, a pool of devices) based on an identifier of a host system or group of host systems.

In a generalized system, a system call consists of a requester ID, an access type, and a corresponding device. Optionally, use a password, and / or
Alternatively, the password can be associated with the requester ID and / or the group to which the requester belongs. The requestor can be a host computer, another data storage device, or any system that can make a system call to the data storage device. The access types are disk mirroring, backup, copy, and B
The type of requested access, such as CV processing, ChangeTracker processing, etc., can be indicated. BCV and change tracker processing is provided by EMC of Hopkinton, Mass. And includes processing of mirrored volumes. BCV is
Starts as a mirror volume, and then relates to the volume that you want to split to operate independently. A change tracker is concerned with tracking the difference between divided volumes by tracking the movement to each, thereby changing if one volume is required to be restored from another. Only the tracks that need to be written need to be written.

In some embodiments, access control includes control of read and write operations; in other embodiments, only system management calls are controlled. The corresponding device can indicate the device that is affected by the request, so that, for example, if the request includes a read operation on the disk, the device will be on the disk (or a portion of the larger disk space) that is affected by the read operation. is there.

Referring to FIG. 5, a matrix 100 stores requesting systems Q, R, S, T, and V (and groupings of requesting systems) as devices W, X, Y, and Z (and devices). , Pools, pools) of the access levels B, C, and M. In some embodiments, a pool of devices may have only one ID opposite the combination ID shown in FIG.

The matrix 100 has columns 102, 104, 106, 108 and 110 of the devices W, X, Y and Z and various possible combinations of pools of devices. The system may have more or less than the four devices shown in the matrix 100; instead, the matrix 100 may associate permission levels with the requesting user combination to grant resources. It may be in the form of a chart, list, database or any other approach. Matrix 100
Are rows 112, 114, 116, 118 corresponding to requesting systems Q, R, S, T, and V, such as a host computer or other electrical device that makes access requests for devices that are part of data storage device 22. And 120. The number of requesters can be any number.

Requester grouping is performed by the system administrator to provide improved access speed by reducing the amount of searching that must be performed to find the correct combination of requester and accessed device. It can be carried out. For example, all members of a workgroup may have an assigned individual access ID number that includes the workgroup number as part of the individual access ID number.
Thus, if an individual is accessing a memory element that is accessible to all members of the workgroup, the group ID number allows for faster database searching. In examples where a password is used to identify the requestor, the password can be assigned to the requestor and / or assigned to the group in a manner similar to the way an ID number is assigned, using the password itself, or Access can be controlled using a password in combination with the ID number.

Some systems have a valid access I
It should be noted that assigning a default access ID (and / or default password) to an access request that does not include D (and / or a password) can be processed according to the embodiments described above. In the matrix 100, the default ID
Is indicated by the request source V in row 118. It should be noted that requester V has no allowed access to any device except for B-type access to device X in column 106. Device X indicates, for example, a public library database intended for use by someone with an Internet connection. Numerous other potential uses for such open access can be imagined.

On the other hand, the requester Q in row 114 appears to have full access to all members of the device pool of the illustrated matrix. Requester Q indicates the ID of the system administrator, and therefore needs unlimited access to all memory elements for control and configuration purposes. Between the two described cases, there can be an unlimited number of possible combinations. It should be noted that more potential access levels than the three levels illustrated are possible according to the embodiments described above. It should also be noted that providing a particular level of access to a device (pool of devices) to individual requesters can be achieved by forming a group that includes only individual requesters. .

The group of four requestors (Q, R, S, and T) in row 112 shows that each of the device pools 102-110 has less allowed access than some individual requesters have as members of a different group. . In this example, the request source V is the row 112
Is not part of the requesting group of
Is not of interest. In line 120, the request source S
Has B and C access allowed in the device pool row 102, which in this example includes all four devices, denoted W, X, Y and Z. Thus, the requesting groups R and S, row 116, are typically not allowed more than B and C access, and in this example do not have the allowed access. This is the case if the requesting source R is only allowed to access, for example, a database contained in the device corresponding to the memory elements W and Z. Further, the grouping of the four requestors in row 112 must not allow more access than is allowed in the grouping of subsets, so that the group in row 112 does not have access to the device pool in column 102. Is shown in FIG.

An example of a situation where a requester such as Q from FIG. 5 has multiple accesses to all memory devices and pools of devices is a memory system administrator that can reset a password when a password is lost or forgotten. Can override any access control settings for maintenance or service, add new memory devices such as new disks, or remove old models from the device pool, and reconfigure device pool membership. To accommodate changing memory requirements, create new memory device pools to allow for an expanded customer base, or provide any other functionality provided by the system administrator. Administrators can also reconfigure membership and the number of requesting groups to improve the speed of access control to device pools, specify new levels of allowed access, or provide new allowed types of system calls. Can be suitably added to all data storage devices.

When a device and a pool of devices correspond to portions of memory, the situation described above is an efficient and efficient method for partitioning data storage while maintaining the security of secret user data within the data storage. Related to the ability to provide flexible memory access to authorized users. The above-described authorization system provides a mechanism to reject and accept potentially dangerous memory accesses and functions in a uniform manner,
An access decision can be made before variable system time is wasted at the beginning of a memory access execution that has been found not to be granted.

Authorization code (and / or password)
Can be used on an individual host computer or other requestor basis, or on a group access basis, or on a combination basis as shown in the matrix of FIG. If the method is restricted to potential per-requester IDs, the authorization matrix is large and finding the requester ID takes longer than if the requesters were grouped. On the other hand, limiting the access ID number to a large group of requesters limits the flexibility of assigning optimal accessibility to various members of the requester group. Thus, the described embodiments provide the access ID number for each individual requestor to provide maximum flexibility and increase the access grant rate by matching group access values to device pool access values. Provide the working group ID number.
In another embodiment, the access ID number is assigned only to the group and not to the individual requestor. Two access matrix methods can be used to provide maximum flexibility and improved authorization rates, where the first matrix (or other authorization methods described above) uses the requesting group ID and the device. Check the pool ID. If the entire group to which the individual requester belongs has authorized access for each member of the particular device pool directed to the requested type of access, no further look is needed. This is the case if the requesting group ID is only allowed as much as the lowest member of the group and the device pool is only allowed as much as the members of the most restricted pool. An example of an access matrix following the above situation is shown in FIG. 5 as described above. Thus, the described access control method can support varying levels of device pools, each level of access corresponding to a particular level or combination of access operations. Further, the method described above includes
By using the default access ID and allowing physical memory structures, such as communication ports, to have device pool ID numbers, it is compatible with existing methods that prevent dangerous device access operations, such as system calls.

The embodiment described with reference to FIG.
Includes forms with more than one requester group. A unique requester ID can be assigned to an individual host computer for each requester group of which the host is a part. Instead, the only ID is the group ID
And an individual ID number. The combination ID number utilizes the two-stage matrix access authorization method described above. In any case, a password can be used instead of or as an aid to the ID.

An exemplary configuration for data storage access control includes instructions for enabling and disabling the ID number system (and / or password system), and default and initial settings for the host system and other requestors. An access level, a system administrator password partially granting administrator-like access to a specified ID number, a temporary override command denying access to a specific requester ID for a predetermined amount of time, and a specific override for a predetermined amount of time. A temporary override command that gives full access to the ID can be defined. Use of these commands can be restricted to system administrators entering the system using a password.

Referring to FIG. 6, a flowchart 200 is shown.
Indicates the processing started in step 202, and step 20
2, the requesting system having access to the data storage device can be a request for access to a particular device or pool of devices, such as a memory, such as a host computer or another memory system. Make a read / write request, or request a copy,
Mirror data, BCV operation, change tracker operation,
Or make a system call such as backup data. The system call can come directly from the host computer system or can be relayed by another data storage device as in the case of a mirroring request. In some embodiments, only system calls are supported, and direct read / write operations are not handled on the numbers described herein.

Step 204 is followed by step 204, in which the ID of the host system making the system call request (the ID of the group to which the host system belongs) is entered.
Check against the reject override setting to determine if a reject override has been set. The override setting can be stored as a variable in the override location in memory. The set reject override indicates that the system call is denied regardless of the ID and the access settings for the corresponding device.
Such a reject override setting can be set by the system administrator for a number of possible reasons, such as a system failure, and there can be a timer setting to return the override state to a state without override a fixed time after the override has been set. If it is determined in step 204 that the reject override has been set, the request is not granted by the data storage device and the data storage device can send an access denied message to the requesting system in step 222, Ends in step 210.

If it is determined in step 204 that the reject system call override has not been set, then in step 212 the path override setting (which can be stored in an override location in memory or stored elsewhere) is checked. You. The path override indicates that the system call is permitted regardless of the access setting of the requester and the corresponding device. Once the path override has been set, the storage system completes the system call at step 214 and the process ends at step 210. Optionally, a message may be sent to the requesting system indicating that system call access has been granted and completed.

If no path override has been set, the call request is examined at step 216 to determine whether the access ID number is included in the request. Not all user systems connected to a data storage device have an access ID number. The access ID can be the same as the requester ID, or it can be a unique number, or it can be the ID of the group to which the requester belongs. In some examples, older systems that do not have the capabilities of the newer system (ie, ID or group ID) can still be used, thus extending the usefulness of the system and facilitating the introduction of new products. Provides backward compatibility. Also, it should be mentioned that a password can be used instead of or in addition to the access ID. If a correct access ID is found in the request, control proceeds to step 220. If the access ID is not found, a default ID is assigned in step 218 and control proceeds to step 220 where the access ID is
To determine whether the access ID is valid. An access ID whose access ID number is acceptable
If not found in the table of numbers, control proceeds to step 222 where a system call access denied message may be sent to the requesting system and the process ends at step 210.

Once the access ID is matched by the data storage device, step 224 checks the type of the access request to determine whether the particular type of system call requested is allowed. If the type of request being performed is not allowed for the corresponding device (device pool), control proceeds to step 222 where a system call access denied message can be sent to the requesting system, and then processing proceeds. The process ends at step 210.

If the type of request is generally permitted, the access ID is checked at step 226 and the particular requestor (the group to which the requestor belongs) is requested for the corresponding device (device pool) for the particular type requested. Check whether the system call is permitted. If negative,
Control proceeds to step 222, where a system call access denied message may be sent to the requesting system, and the process ends at step 210. If the ID is allowed for general use of the type of call made, control proceeds to step 228, where the devices affected by the system call are checked and the corresponding device pool is accessed for the requested type. Check whether to allow. If the requested type of access is not allowed, control proceeds to step 222, where a system call access denied message can be sent to the requesting system, and the process then ends at step 210.

If the device pool permits the requested type of access, step 230 determines whether the requested access is permitted. This helps to maintain a situation where requests are limited to requestors assigned specific access to a device pool, such as a portion or portions of the memory space of a data storage device. If the ID does not have adequate access to the device pool, control proceeds to step 222 where a system call access message can be sent to the requesting system and the access process ends at step 210. Access ID
If the number, device pool ID number, and type of access requested match, the system call is completed at step 214, and the access process then proceeds to step 2
The process ends at 10.

The code for the flowchart of FIG. 6 can be implemented using a scheme similar to that shown in FIG. 3 and described above. That is, the security module (similar to module 64 of FIG. 3) performs the steps shown in FIG. Security data indicating which groups of users have which types of access to which pools can be centralized in a conventional manner to provide the functionality described herein. The override settings can be stored in an override memory location. Other techniques for implementing the flowchart of FIG. 6 will be apparent to those skilled in the art.

The system described herein includes the user making the system call request (and / or the ID of the group to which the user belongs), which device pool in the request is relevant, what type of request is being made, And determine if the system is configured to allow the request. A device pool can be a separate physical disk, a group of disks, or a portion of a memory system that is divided into portions of a large disk. Memory resources may be grouped into memory pools that have the same requirements for the types of system calls allowed and for which particular requesters (or groups of requesters) are allowed access to memory. it can. For example, pool X may have 20 disk systems and may have access allowed only to requesters from company A.
Pool Y can include a portion of a large magnetic disk and allows access by companies A and B, but does not allow mirroring requests from anyone other than the system administrator. The described embodiment allows access based on ID numbers, so that a single large computer with multiple human users can have many different access IDs.
A D-number is provided so that each different user (and / or group of users) has a different level of access to different parts of the storage device. You want to prevent different departments within a single company from changing the values in the database by different departments, or you want to prevent that department from using more memory space than is allowed It is useful when thinking.
The embodiments described herein use the requester ID number (group ID number) to determine the type of storage access and access, and thus make the access dependent on the memory port to which the requester is connected. Rather than using physical control means to control, a logical device coordinator is constructed. As noted here, instead of an ID,
Or, in addition, a password can be used.

An example of the steps for generating access ID numbers and registering them in the data storage is a host computer system (or other requesting system type).
Of the host computer system, the ID of the group to which the host computer system belongs, the password for the host system, the password of the group to which the host system belongs, and / or the Fiber Channel World Wide Name. Invoking a utility program and determining if there are multiple access ID number requests for the host system. The host administrator has the hardware ID
(Or password or Fiber Channel World Wide Name) and provide the name and operating system used by the host to the system administrator. If multiple individual users are associated with the host system, each requiring a different level of access, an individual password or ID number can be assigned to each user. These are combined with the host system ID number to provide a unique ID for each user who can still provide host system information
Numbers can be generated. Users can be grouped and ID numbers can be provided to each group.

For additional security, the memory administrator executes the ID number through what is known as a secure hash program to further randomize the ID number and generate a unique ID number, in this case referred to as the access ID number. be able to. Different hardware devices have the same I
In the example with a D-number, the access ID number can be generated by using additional, possibly random, data as input to a secure hash function. The data storage device stores the access ID and associates it with a selected device pool, such as a memory element. A memory element can be either a single element, such as a disk or a portion of a disk, or a group of memory elements. When access is associated with a particular device pool, the system administrator assigns or removes access levels. Due to the use of a secure hash program in this exemplary embodiment, the access ID number is not known by the host system, but is regenerated from the hardware ID at the time of access, thus from a different location than the authorized host system. Prevent any access.

Referring to FIG. 7, a diagram 250 illustrates another embodiment in which security data can be stored in other ways. Diagram 250 shows a plurality of nodes 252-254 stored as a linked list. Each of nodes 252-254 may correspond to a user or a group of users. Therefore, in the description here, the word “user” can be considered as a synonym of the group of the user, and is consistent with the description in the other parts.

For each user, there are a plurality of allowable actions associated therewith, such that, for example, a user corresponding to node 252 performs an action corresponding to a plurality of nodes 256-258 connected to node 252. can do. Similarly, the user corresponding to the node 253 has a plurality of connected nodes 262 to 26
4 is allowed to perform the action corresponding to the node 254, and the user corresponding to the node 254 is allowed to perform the action corresponding to the plurality of connected nodes 266 to 268. Each action can be associated with one or more devices, or in some examples, an action has no associated device. Each node 256-258, 262-264, 266-268 corresponding to the action
Has a list of associated nodes corresponding to acceptable devices. Thus, for example, the action corresponding to node 256 has a list 272 connected to it, the list 272 including the action corresponding to node 256 and the node corresponding to an acceptable device for the user corresponding to node 252. Similarly, node 2
57 has a list 274 connected to it, node 2
58 has a list 276 connected to it. List of other devices 282, 284, 286, 292, 294,
296 is also shown.

User nodes 252 to 254 represent any number of users. That is, there may be any number of users and any number of nodes, rather than the three nodes 252-254 shown in diagram 250. Similarly, there may be any number of actions associated with each user, and any number of devices associated with each action.
Further, in some embodiments, one or more user nodes 252-254 may indicate a default user, as described in more detail below.

The nodes 256-connected to the user 252
Action nodes, such as 258, indicate various actions that can be performed by the user. Therefore, the user corresponding to the node 252 is connected to each of the nodes 256 to 25 connected thereto.
8 can be performed. That is, the linked list with nodes 256-258 includes an entry for each action granted to the user corresponding to node 252.

For each action in the action node list, there is a list of permitted devices that can execute the action. Thus, for example, node 256
, The nodes in list 272 indicate which devices can be used in relation to the actions corresponding to node 256 that are executable for the user corresponding to node 252. It should be noted that for some actions, the linked list corresponding to the device may be null (ie, contain no entries).
This occurs for actions that are not performed on a particular device, such as a system call requesting a user ID. Further, as described in detail below, a user can create a user defined action that may or may not correspond to any device.
Thus, for actions that data storage device 22 can perform, the user can first make a request to determine whether the desired action is granted.
Then, once the action is approved, the user can request that data storage device 22 perform the action. Alternatively, for actions that the data storage device 22 cannot perform, the user can simply perform the authorization request step only.

In practice, when requesting whether a particular action can be performed using one or more particular devices (or possibly zero devices), the user node 252
Scan ~ 254 first to find the node corresponding to the requesting user. If a matching node is found, then the connection list containing the node corresponding to the action is reviewed to determine whether the requested action is acceptable to the requesting user. If the action is determined to be acceptable, then scan the list corresponding to the device connected to the node corresponding to the action to see if the action requires a specific device Then, it is determined whether the requested device in relation to the user action is acceptable.

In some embodiments, a user-definable action is used to permit (ie, allow or deny) actions that cannot be performed on or by data storage 22. You can create a system that returns In that case, the user can simply define specific user-definable actions with specific permissions for the various users. Next, the user-definable actions can be attached to one or more lists corresponding to the particular actions. The user may then request permission for the particular action and receive an indication indicating whether the particular action was granted or denied. Of course, if the action does not correspond to an operation of the data storage device 22, the user will not be able to pursue a request for the data storage device 22 to perform the action. However, in some instances, it may be beneficial to simply receive authorized or denied access information.

It is noted that the data shown in diagram 250 can be stored in one of a variety of data storage techniques, including charts, lists, multiple linked lists, arrays, and databases. Furthermore, Diagram 2
The data shown at 50 may also be stored in security configuration data element 66 of FIG.

Referring to FIG. 8, a flowchart 300 is shown.
Shows the operation of the system using the data shown in diagram 250 of FIG. Flowchart 300 illustrates the processing of a user request for permission of an action, optionally involving a device.

The process begins in a first step 302, where it is determined whether the requesting user corresponds to a node in the user list. If not, control proceeds from step 302 to step 304, where the node corresponding to the default user is used. In some embodiments, a default user is used for users not specifically listed. The default user can be associated with a default action and a default device.

Following step 304, or if the user is found to correspond to a node on the list, is a test step 306, in which the requested action is taken to the node corresponding to the user. Determine if it is on the connected node list. If not, control is passed from step 306 to step 30.
Proceed to 8 and the request is denied. That is, if the requested action does not correspond to a node connected to the node corresponding to the user, the request is denied in step 308. Denying the request includes returning a code indicating that the request was denied.

If it is determined at step 306 that the requested action has been granted (ie, corresponding to one of the appropriate nodes), control proceeds from step 306 to step 310 where the requested action is performed by the device. Is determined. As mentioned above, some actions do not require or use a device. Such actions are, for example, Symmet
rix). Test step 3
If at 10 it is determined that the requested action does not include the device, control proceeds from step 310 to step 31.
Proceeding to 2, a display indicating that the request has been granted is returned to the user. It is also possible that step 312 returns a tag, described in more detail below.

If it is determined in test step 310 that the requested action uses the device,
Control proceeds from step 310 to test step 314, where it is determined whether the device is on the allowed list for the action. If not, control proceeds from step 314 to step 308, where the request is denied. Alternatively, if the test step 314 determines that the device is on the list, control proceeds from step 314 to step 312 where the request is granted. Subsequent to step 308 or step 312, the process ends.

[0087] In some embodiments, there may be no default user. In that case, step 304 is not performed. Alternatively, if it is determined in step 302 that the requesting user is not on the list of users, control proceeds from step 302 to step 308, where the request is denied. This is the flow chart 300
This is indicated by the alternative path 314 above.

In some embodiments, a tag can be used to provide a user with a password or key that is submitted in connection with a subsequent request. The tag can be returned to the user who made the successful request.
The user could then use the tag for performing the same operation at a later time. In some embodiments, the validity period of the tag does not expire, allowing the user to perform an action even after the security of the system has changed, otherwise the requested action is not allowed.

While the invention has been described in connection with the preferred embodiment illustrated and described in detail, various modifications and improvements will readily occur to those skilled in the art. Therefore, the spirit and scope of the present invention should be limited only by the appended claims.

[Brief description of the drawings]

FIG. 1 is a schematic diagram showing a storage device configured according to the present invention.

FIG. 2 is a schematic diagram showing a plurality of storage devices configured according to the present invention.

FIG. 3 is a data flow diagram showing the operation of the embodiment of the present invention.

FIG. 4 is a flowchart illustrating steps performed in accordance with an embodiment of the present invention.

FIG. 5 is a table showing a relationship between a request source, a storage element, and an allowable system call;

FIG. 6 is a logical flowchart showing the operation of the embodiment of the user logic device of the present invention.

FIG. 7 is a diagram showing a data structure for storing security data according to the embodiment of the present invention.

FIG. 8 is a flowchart illustrating access to the data of FIG. 7, according to an embodiment of the present invention.

[Explanation of symbols]

 Reference Signs List 20 system 22 data storage device 24, 25, 26 section 28 external control device 34, 35, 36 external port

 ────────────────────────────────────────────────── ─── Continued on the front page (31) Priority claim number 09/774532 (32) Priority date January 31, 2001 (2001.1.31) (33) Priority claim country United States (US) (31) Priority claim number Japanese Patent Application 2000-396584 (P2000-396584) (32) Priority date December 27, 2000 (2000.12.27) (33) Priority claim country Japan (JP) (31) Priority claim No. Japanese Patent Application No. 2000-397854 (P2000-397854) (32) Date of priority December 27, 2000 (December 27, 2000) (33) Countries claiming priority Japan (JP) (72) Inventor Sachet K. Kanapashi USA Massachusetts 01581 Westborough Windsor Ridge Drive 301 (72) Inventor Brian Garrett United States Massachusetts 01748-1032 Hopkinton Fruit Street 35F Term (Reference) 5B 017 AA07 BA06 BB06 CA07 5B065 BA01 EA33 PA02 PA04 PA11 PA12 PA20

Claims (120)

[Claims] 1. A method of determining permission for an action, comprising: defining a plurality of groups; defining, for each group, a plurality of action types and corresponding permission levels; at least a subset of the action types. Defining a plurality of devices to perform corresponding actions, at least some of the devices corresponding to portions of the data storage device; and determining, for at least one group, permissions for the requested actions. Checking the permission level for an action type corresponding to the at least one group, if the action corresponds to one of the devices, and checking a plurality of devices corresponding to the requested action. Permission is decided by How action is to not correspond to one of the devices, authorization by checking the authorization level for action type corresponding to the at least one group is determined. 2. The method of claim 1, wherein the action type comprises a system call to a data storage device. 3. The apparatus of claim 1, wherein the at least one device includes at least one disk storage area of a data storage device.
The method described in. 4. The method of claim 1, wherein the at least one device comprises a communication port of a data storage device. 5. The method of claim 4, wherein the action type indicates whether a system call is allowed on the communication port. 6. The method of claim 1, comprising, for the requested requested action, returning a tag available for a subsequent request to perform the action. 7. A method for determining permissions for an action, determining whether the requester is included in a requestor list, and wherein the requested action is included in a list of action types associated with the requester. Determining if the action uses at least one device,
Determining whether at least one device is included in a device list associated with the requester and the requested action, the device list including at least some devices associated with the data storage device Method. 8. The method of claim 7, further comprising using a default requester from the requester list if the requester is not included in the requester list. 9. The method of claim 7, comprising denying permission if the requester is not included in the requestor list. 10. The requested action is at least one
8. The method of claim 7, wherein when not using one device, the action is permitted if the requested action is included in a list of action types associated with the requestor. 11. The method of claim 7, wherein at least some of the action types do not correspond to actions performed on the data storage device. 12. The method of claim 7, wherein the action type comprises a system call to a data storage device. 13. The method of claim 7, wherein the at least one device includes at least one disk storage area of a data storage device. 14. The method of claim 7, wherein the at least one device comprises a communication port of a data storage device. 15. The method of claim 14, wherein the action type indicates whether a system call is allowed on the communication port. 16. The method of claim 7, comprising, for the requested requested action, returning a tag available in connection with a subsequent request to perform the action. 17. An apparatus for determining permission of an action, comprising: means for defining a plurality of groups; means for defining a plurality of action types and corresponding permission levels for each group; and at least a subset of the action types. Means for defining a plurality of devices for performing a corresponding action, at least some of the devices corresponding to a portion of the data storage device, and determining permission for the requested action for at least one group. Means for determining an authorization level for an action type corresponding to said at least one group, if the action corresponds to one of the devices, and checking a plurality of devices corresponding to the requested action. Permission is determined by the One in the not correspond, device permissions are determined by examining the authorization level for action type corresponding to the at least one group. 18. The apparatus of claim 17, wherein the action type comprises a system call to a data storage device. 19. The apparatus of claim 17, wherein the at least one device includes at least one disk storage area of a data storage device. 20. The device of claim 1, wherein the at least one device includes a communication port of a data storage device. 21. The apparatus of claim 20, wherein the action type indicates whether a system call is allowed on the communication port. 22. The apparatus of claim 17, further comprising: for the requested requested action, returning a tag available for a subsequent request to perform the action. 23. An apparatus for determining permission for an action, means for determining whether a requester is included in a requestor list, and wherein the requested action is included in a list of action types associated with the requester. Means for determining whether the action uses at least one device,
Means for determining whether at least one device is included in a device list associated with the requester and the requested action, wherein the device list includes at least some devices associated with the data storage device. apparatus. 24. The apparatus of claim 23, further comprising the step of using a default requester from the requester list if the requester is not included in the requester list. 25. The apparatus according to claim 23, further comprising means for denying permission if the requester is not included in the requester list. 26. The method according to claim 26, wherein the requested action is at least one.
24. The device of claim 23, wherein if no device is used, the action is allowed if the requested action is included in a list of action types associated with the requestor. 27. The apparatus of claim 23, wherein at least some of the action types do not correspond to actions performed on the data storage device. 28. The apparatus of claim 23, wherein the action type comprises a system call to a data storage device. 29. The apparatus of claim 23, wherein the at least one device includes at least one disk storage area of a data storage device. 30. The device of claim 23, wherein the at least one device comprises a communication port of a data storage device. 31. The apparatus of claim 30, wherein the action type indicates whether a system call is allowed on the communication port. 32. The apparatus of claim 23, further comprising: for the requested requested action, returning a tag available in connection with a subsequent request to perform the action. 33. Computer software for determining permission of an action, comprising: executable code defining a plurality of groups; executable code defining a plurality of action types and a corresponding permission level for each group. Executable code defining a plurality of devices for performing corresponding actions, at least for some subsets of action types, at least some devices corresponding to portions of the data storage device; Executable code for determining permission for a requested action for one of the groups, wherein if the action corresponds to one of the devices, the permission level is set for the action type corresponding to the at least one group. Examine and request The permission is determined by examining a plurality of devices corresponding to the action, and if the action does not correspond to one of the devices, the permission is determined by examining a permission level for an action type corresponding to the at least one group. Computer software. 34. The computer software of claim 33, wherein the action type comprises a system call to a data storage device. 35. The computer software of claim 33, wherein the at least one device includes at least one disk storage area of a data storage device. 36. The computer software of claim 33, wherein the at least one device includes a communication port of a data storage device. 37. The computer software of claim 36, wherein the action type indicates whether a system call is allowed on the communication port. 38. Executable code that returns, for an authorized requested action, a tag usable for a subsequent request to perform the action.
4. The computer software according to 3. 39. Computer software for determining permissions for an action, an executable code for determining whether the requester is included in a requestor list, and a list of action types in which the requested action is associated with the requester. Executable code to determine if it is contained within, and if the action uses at least one device,
Executable code for determining whether at least one device is included in a device list associated with the requester and the requested action, the device list comprising at least some of the data storage devices associated with the requestor and the requested action. Computer software including equipment. 40. The computer software of claim 39, comprising executable code that uses a default requester from the requester list if the requester is not included in the requester list. 41. Computer software according to claim 39, having executable code to deny permission if the requester is not included in the requestor list. 42. The requested action is at least one
40. The computer software of claim 39, wherein if no device is used, the requested action is permitted if the requested action is included in a list of action types associated with the requestor. 43. The computer software of claim 39, wherein at least some of the action types do not correspond to actions performed on the data storage device. 44. The computer software of claim 39, wherein the action type comprises a system call to a data storage device. 45. The computer software of claim 39, wherein the at least one device includes at least one disk storage area of a data storage device. 46. The computer software of claim 39, wherein the at least one device comprises a communication port of a data storage device. 47. The computer software of claim 46, wherein the action type indicates whether a system call is allowed on the communication port. 48. The computer software of claim 39, comprising executable code for an authorized requested action that returns a tag that can be used in connection with a subsequent request to perform the action. 49. A method for restricting access to a storage device, the method comprising: connecting each of a plurality of host systems to the storage device by one of a plurality of ports provided in the storage device; Selectively determining whether a system call is allowed. For a port where a system call is not allowed, a system call by a host system connected to the port is stored in a storage device, and the system call is How to indicate that it was not performed. 50. The method of claim 49, comprising providing a mechanism to control whether the port is capable of accepting system calls. 51. The step of providing a mechanism comprises:
52. The method of claim 50, comprising providing an external controller connected to the storage device. 52. The method of claim 51, wherein the external controller operates as a dumb terminal transmitting characters to the storage device and receiving characters from the storage device. 53. The method of claim 49, comprising providing an override mechanism that allows system calls on ports that do not allow system calls. 54. The method of claim 53, wherein the override mechanism also blocks system calls on ports that allow system calls. 55. The method of claim 54, comprising resetting the override mechanism after a predetermined amount of time has elapsed since the mechanism was set. 56. The predetermined amount of time is 30 minutes.
The method described in. 57. The method of claim 53, comprising providing an external control device that facilitates setting an override mechanism. 58. The step of providing an external control device includes providing a dumb terminal for transmitting characters to the storage device and receiving characters from the storage device.
7. The method according to 7. 59. A control device for a storage device, comprising: means for defining at least one group accessing a storage device; means for defining at least one of a pool of storage device devices; and a plurality of access types. Apparatus comprising: means for determining access rights to the at least one pool by the at least one group for at least one access type. 60. The apparatus of claim 59, wherein the access type comprises a system call. 61. The at least one group and the at least one pool include at least one of a logical unit and a physical unit.
Device according to claim 9. 62. The apparatus of claim 59, wherein the at least one pool includes a storage device communication port. 63. The apparatus of claim 62, wherein the access right indicates whether a system call is allowed on the communication port. 64. An apparatus for restricting access to a storage device, comprising: means for connecting each of a plurality of host systems to the storage device by one of a plurality of ports provided for the storage device; Selectively determining whether a system call is allowed. For a port where a system call is not allowed, a system call by a host system connected to the port is stored in a storage device. A device that indicates that no action was taken. 65. The apparatus of claim 64, further comprising means for providing a mechanism for controlling whether the port can accept system calls. 66. The step of providing a mechanism comprises:
51. The method of claim 50, including an external controller connected to the storage device. 67. The apparatus of claim 66, wherein the external control device operates as a dumb terminal transmitting characters to the storage device and receiving characters from the storage device. 68. The method of claim 64, comprising an override mechanism that allows system calls on ports that do not allow system calls. 69. The apparatus of claim 68, wherein the override mechanism also blocks system calls on ports that allow system calls. 70. The apparatus of claim 69, further comprising means for resetting the override mechanism after a predetermined amount of time has elapsed since the mechanism was set. 71. The predetermined amount of time is 30 minutes.
An apparatus according to claim 1. 72. The device of claim 69, comprising an external control device to facilitate setting of an override mechanism. 73. The method of claim 57, wherein the external controller includes a dumb terminal for transmitting characters to the storage device and receiving characters from the storage device. 74. A means for receiving data provided to the storage device at a port of the storage device, means for transmitting data from the storage device, means for prohibiting a system call provided to the port,
A port containing a request for a management operation for a storage device that does not send or receive data. 75. Computer software for controlling a port on a storage device, comprising: means for communicating with the storage device; and a command connected to the means for communicating, the command causing the port not to accept the provided system command. And control means for providing to the system, the system command including a request for a management operation by the storage device. 76. An apparatus for controlling a port of a storage device, comprising: a port driver connected to the port for processing data communication with the storage device; a port driver connected to the port driver, based on a security configuration data element and an override display data element. And a security module that controls data communicated by the port driver. 77. The apparatus of claim 76, further comprising a security configuration control module connected to the security configuration data element and controlling its state. 78. The system of claim 77, further comprising a disk configuration data element connected to the security configuration control module, wherein the security configuration control module controls a state of the security configuration data element according to a state of the disk configuration data element. Equipment. 79. A system comprising: a disk configuration data element;
79. The apparatus of claim 78, further comprising an external interface module for controlling the state, the external interface module receiving command data provided to the storage device. 80. The external module is connected to the override display data element to control its state.
An apparatus according to claim 1. 81. The apparatus of claim 80, further comprising a counter module connected to the override display data element and controlling its state according to an amount of elapsed time. 82. A method for determining whether to execute a system command received at a port of a storage device, the method comprising: determining whether an open override is set; and determining whether port control data is present. Determining whether the port control data indicates that the system call is allowed, and determining whether the system call is allowed, the port control data indicating that the system call is allowed, the open override during setting, and the existence of the port call. Making a system call in response to at least one of the port control data not being used. 83. determining whether a close override has been set; and rejecting the system call in response to at least one of the closing override being set and port control data indicating that the system call is not allowed. ,
Having a method. 84. A method of controlling a data storage device, the method comprising: providing at least one request source for accessing a storage device; providing at least one pool of data storage device devices; Providing and determining, for at least one device in the pool of devices, whether a request by a requestor of at least one requesting group has been granted, wherein the device is the subject of the request. Method. 85. The method of claim 84, wherein the access type comprises at least one of mirroring, copying, backup splitting and tracking system calls. 86. The method of claim 84, wherein the access type includes reading and writing data. 87. The method of claim 84, wherein at least one group and at least one pool include at least one logical unit having a unique ID number and a physical unit. 88. The method of claim 84, wherein the at least one pool includes at least one of a communication port of the data storage device and a portion of the memory of the data storage device. 89. The method of claim 88, wherein the pool has a communication port and the access right indicates whether a system call has been granted on the communication port. 90. The method of claim 88, wherein the pool comprises a portion of memory and the access rights indicate at least one of read and write access to the section. 91. A method for controlling access to a data storage device, comprising: for each requester having access to the data storage device, providing a requester identification number uniquely identifying each requester; Dividing the memory into a plurality of memory segments and defining an identification number for each segment; and providing a plurality of request types including at least one of read, write, mirror, copy, backup, partition, and tracking system calls. A selected one of the plurality of memory segments only if the database of requester identification numbers indicates that a request of the selected type for the selected memory segment according to the requester identification number has been granted. Selected type of request access to The method comprising the steps of acceptable Motomemoto, the. 92. The method of claim 91, comprising issuing an access request negative indication if the database indicates that the identification number is not allowed to access a particular memory segment of a particular type. 93. The method of claim 91, wherein the override memory location stores at least one of a path override condition, a reject override condition, and a no override condition. 94. The system of claim 93, wherein the override memory location is checked prior to reviewing the database and the request is granted if a path override condition is stored.
The method described in. 95. The method of claim 94, wherein the value stored in the override memory location returns to the no override condition after a specified time. 96. The method of claim 95, wherein the designated time is 30 minutes. 97. The system of claim 93, wherein the override memory location is checked prior to reviewing the database and the request is denied if a reject override condition is stored.
The method described in. 98. The method according to claim 98, wherein the plurality of memory segments are grouped into a pool of devices, and allowing a requestor to access a selected type of request is a particular one of a pool of devices corresponding to the selected memory segment. 92. The method of claim 91, comprising examining. 99. A method for controlling access to a data storage device, comprising: reading data of a specific portion of the data storage device, writing data to a specific portion of the data storage device,
At least one of backing up data from a particular portion of the data storage device, mirroring the data, copying the data from the particular portion of the data storage device, dividing the volume of the data storage device, and tracking changes to the volume of the data storage device Providing at least one group of requesting devices from the plurality of requesting devices accessing the data storage device by issuing a request; and providing a plurality of memory resources from the plurality of individually addressable memory resources of the data storage device. Providing a pool; and providing control logic of the data storage device prior to accessing the memory to access one of the plurality of requesting devices for accessing at least one of the memory resources of the plurality of pools.
Deciding whether the request from one is acceptable;
Having a method. 100. The method of claim 99, wherein the override memory location stores one of a path override condition, a reject override condition, and a no override condition. 101. The system of claim 10 wherein the override memory location is checked prior to reviewing the database and the request is granted if a path override condition is stored.
The method according to 0. 102. The method of claim 101, wherein the value stored in the override memory location returns to the no override condition after a specified time. 103. The specific time is 30 minutes.
3. The method according to 2. 104. The system of claim 1, wherein the override memory location is checked prior to reviewing the database and the request is denied if a reject override condition is stored.
00. The method of claim 00. 105. The method of claim 99, wherein the access level for the group corresponding to the requester is set to provide an access level lower than the access level set for any member of the requesting group. 106. The method according to claim 105, wherein the access level of the group is examined before the access level of the requester, and if access to the group is permitted, no check is made on the access level of the requester. . 107. The method of claim 99, wherein the pool of memory resources allows an access level that is higher than an access level set for every member of the pool. 108. The method of claim 107, wherein the access level of the pool is examined before the access level of the memory segment, and the access level of the memory segment is not checked if access to the pool is not permitted. 109. A method for controlling access to a data storage device, comprising: associating an ID number identifying at least one of a requester having access to a storage element and a group to which the requester belongs; Determining whether the requested type of access operation to at least a portion of the storage device has been granted to the requestor, the access information comprising: a requester ID number, a group ID.
A method comprising one or more access operations associated with at least one of a number, a password corresponding to a requestor, and a password corresponding to a group. 110. The method of claim 109, wherein the access operation includes at least one of backup, mirror, copy, split, and track. 111. The access operation includes at least one of data reading and data writing.
The method according to 0. 112. The method of claim 110, wherein the access information uses only one of a requester ID number, a group ID number, a password corresponding to the requester, and a password corresponding to the group. 113. The method of claim 110, wherein the access information uses a combination of a requester ID number and a group ID number. 114. The method of claim 110, wherein the access information uses a combination of a group ID number and at least one of a password corresponding to the requestor and a password corresponding to the group. 115. The method of claim 110, wherein the access information uses a combination of a group ID number and a password corresponding to the group. 116. A method for controlling access to a data storage device, comprising: associating a password identifying at least one of a requestor having access to a storage element and a group to which the requestor belongs; Determining whether the requested type of access operation to at least a portion of the data storage device has been granted to the requestor, wherein the access information includes one or more access operations associated with the password. Method. 117. The method of claim 116, wherein the access operation includes at least one of backup, mirror, copy, split, and track. 118. The access operation includes at least one of data reading and data writing.
7. The method according to 6. 119. The method of claim 116, wherein the password corresponds to the requestor. 120. The method of claim 116, wherein the password corresponds to a group.