US20110271336A1 - Computer and Access Control Method in a Computer - Google Patents
Computer and Access Control Method in a ComputerDownload PDFInfo
- Publication number
- US20110271336A1 US20110271336A1US13/179,715US201113179715AUS2011271336A1US 20110271336 A1US20110271336 A1US 20110271336A1US 201113179715 AUS201113179715 AUS 201113179715AUS 2011271336 A1US2011271336 A1US 2011271336A1
- Authority
- US
- United States
- Prior art keywords
- management
- program
- authority
- user
- management program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/629—Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application
Definitions
- This inventionrelates to a computer that executes processes requested interactively by a multiplicity of programs, and to an access control method for a multiplicity of interacting programs.
- a storage system(storage array device) comprises independent storage management programs, with various processes requested by users being executed on the storage device via the storage management programs.
- an integrated management programthat carries out overall management of the storage management programs on the storage device is installed.
- the integrated management programinvokes the relevant storage management program and executes a process requested by a user via the invoked up storage management program.
- a given resource of a storage systemcan be accessed either directly via an individual storage management program, or indirectly via an integrated management program that calls up the relevant storage management program.
- a discrepancy with the resource status retained by the integrated management programmay occur.
- discrepanciesmay arise among resource status retained by the different storage management programs.
- the inventionaddresses the problem by providing a computer that executes processes requested by interaction of a plurality of programs.
- the computer pertaining to the present inventioncomprises a receiving module that requests a process and acquires authenticating information; an invoking program executing module that invokes a program executing module for executing a process corresponding to said acquired request, said invoking program executing module sending to the invoked program executing module identifying information for identifying said invoking program executing module and said acquired authenticating information; and an invoked program executing module that by being invoked by said invoking program executing module, or by directly receiving a request, executes the requested process, said invoked program executing module having an authenticating module that uses said authenticating information and the identifying information of said invoking program executing module to establish authority to execute for said invoked program executing module.
- identifying information for identifying the invoking program executing module and acquired authenticating informationare sent to the invoking program executing module, whereupon the authenticating information and the invoking program executing module identifying information are used to establish authority to execute for said invoked program executing module, whereby in a computer that executes processes requested interactively by a multiplicity of programs, authority to execute for programs can be determined according to program usage mode.
- the computer pertaining to the present inventioncan also be reduced to practice as an access control method, an access control program, and a computer-readable recording medium having an access control program recorded thereon.
- FIG. 1is a simplified illustration of the computer system pertaining to First Embodiment.
- FIG. 2is an illustration of modules stored in the memory of the computer in First embodiment.
- FIG. 3is an illustration of functional blocks realized by the administration computer pertaining to First embodiment.
- FIG. 4is an illustration of an exemplary user management table in management program B.
- FIG. 5is an illustration of an exemplary authority to execute definition table defining executable operations by means of defined authority to execute.
- FIG. 6is an illustration of an exemplary operation definition table that defines content of executable operations by means of defined operations.
- FIG. 7is a flowchart showing the processing routine executed by management program A (invoking program).
- FIG. 8is a flowchart showing the processing routine executed by management program B (invoked program).
- FIG. 9is a simplified illustration of a computer system.
- FIG. 10is a flowchart showing the processing routine executed in the event that management program B is executed from a client computer via management program A.
- FIG. 11is a flowchart showing the processing routine executed in the event that management program B is executed directly from a client computer.
- FIG. 12is a simplified illustration of the computer system pertaining to Second Embodiment.
- FIG. 13is an illustration of functional blocks realized by the administration computer pertaining to Second embodiment.
- FIG. 14is an illustration of an exemplary user management table used for establishing authority to execute in management program B when four management programs interact and execute management of the storage device 20 .
- FIG. 15is an illustration of an exemplary authentication information management table for managing authentication information.
- FIG. 16is an illustration of an exemplary program information management table for administering program information.
- FIG. 1is a simplified illustration of the computer system pertaining to First embodiment.
- FIG. 2is an illustration of modules stored in the memory of the computer in First embodiment.
- the computer 10 in First embodimentis an administration computer (administration server computer) that manages a storage device, for example, carrying out creation of volumes in the storage derive, assigning a host, and setting zoning and LUN masking; it is connected to one or a plurality of storage devices 20 and to a network 40 .
- the network 40is a local area network (LAN) with Ethernet (registered trademark) architecture, that carries out transmission of data using the TCP/IP communications protocol.
- Client computers 30 , 31 , 32are connected to the network 40 ; the client computers 30 to 32 execute management of the storage device 20 via the administration computer 10 .
- a service host computer 50is connected to the network 40 , and the service host computer 50 is connected to the storage device 20 via a SAN (Storage Area Network) 41 .
- the service host computer 50executes a database management system (DBMS) or other service program in response to requests from the client computers 30 to 32 , and writes process results to the storage device 20 , or utilizes an information resource stored in the storage device 20 .
- DBMSdatabase management system
- a Fibre Channel or iSCSI communications protocolis used in the SAN.
- the computer 10comprises a CPU 11 , a memory 12 , a rear end I/O interface 13 , and a front end I/O interface 14 .
- the CPU 11 , the memory 12 , the rear end I/O interface 13 , and the front end I/O interface 14are interconnected via a bus.
- the CPU 11is a processing unit that executes various programs and modules stored in the memory 12 .
- the memory 12is a so-called internal storage device, and includes both nonvolatile memory storing the various modules etc., and volatile memory for temporary storage of operation results.
- the rear end I/O interface 13is connected to the storage device 20 via a local area network (LAN).
- the front end I/O interface 14is connected to the network 40 , and executes sending and receiving of commands and data among the client computers 30 to 32 using the TCP/IP protocol.
- the storage device 20comprises a disk array controller 21 , a cache 22 , a plurality of disk devices 23 , and an I/O interface 24 .
- the disk array controller 21is a control circuit that executes control processes of various kinds on the storage device 20 , and comprises a CPU 211 , memory 212 , and an I/O port.
- the cache 22is a kind of memory device for temporary storage of data that is to be written to a disk device 23 , or of data being read from a disk device 23 .
- the disk devices 23are provided as a disk array device of RAID configuration composed of a plurality of magnetic hard disk drives, the plurality of magnetic hard disk drives constituting one or several logical units (LU), or as a single hard disk drive have one or several memory areas, i.e. logical units (LU). Access to each logical unit is carried out using a logical unit number (LUN) and a logical block address (LBA).
- LUNlogical unit number
- LBAlogical block address
- the I/O interface 24is connected to the rear I/O interface 13 of the administration computer 10 via a signal line.
- the client computers 30 to 32are, for example, terminal devices for input or output of data of various kinds, and via the service host computer 50 execute, for example, database management processes, and execute writing of processed data to the storage device 20 and reading of data from the storage device 20 .
- the client computers 30 to 32also carry out management of the storage device 20 via the administration computer 10 .
- the client computers 30 to 32may instead be a single computer, or four or more.
- the memory 12has stored therein a send/receive process program Pr 1 for exchange of data and requests with the client computers, a management program A (Pa), a management program B (Pb), a management program C, and user information utilized by each of the management programs, stored in association with the respective management programs.
- Pr 1send/receive process program
- Pr 2shows the management program A (Pa) and the details of the user information Uia utilized by the management program A (Pa).
- the management program A (Pa)is an integrated storage management program that handles in an integrated manner the management program B (Pb) and C (Pc) provided to each of the storage devices 20 , and corresponds to the invoking (first) program. With the management program A (Pa), there are carried out processes that span several storage devices, and that cannot be managed by the individual management programs B (Pb) and C (Pc) provided to each of the storage devices 20 .
- the management program A (Pa)provides a storage pool function whereby a number of storage devices are managed as a single virtual storage device, backup schedule management of the logical volumes (logical units) of a storage device, and restriction management of access to the logical volumes.
- the management program Acomprises a request receiving module Ma 1 that receives requests and authentication information from the client computer 30 ; an authentication information acquiring module Ma 2 that acquires the received authentication information; a user authentication module Ma 3 that carries out user authentication using authentication information; an execution authority establishing module Ma 4 that uses a program ID to establish authority to execute for an invoked program; a request executing module Ma 5 that executes requests input from the client computer 30 ; and an external program invoking module Ma 6 that executes identification of an invoked program and invocation of the invoked program.
- the user information Uiacomprises a user management table Uia 1 , an execution authority definition table Uia 2 , and an operation definition table Uia 3 , described later.
- the management programs B (Pb) and C (Pc)likewise comprise similar modules.
- the management programs B (Pb) and C (Pc)are assigned on a one-to-one basis to any single storage device, and execute various management processes in the corresponding storage device.
- the management programs B (Pb) and C (Pc) provided to the individual storage devicescorrespond to invoked (second) programs.
- the CPU 11corresponds to the invoked program executing module and the invoking program executing module.
- the management program A executing module Pacan be considered as the invoking program executing module, and the management program B, C executing modules Pb, Pc as invoked program executing modules.
- the management programs B (Pb) and C into the administration computer 10are sequentially introduced each time that an additional storage device 20 is provided, the individual storage devices 20 a managed by the individual management programs, and thus it is not possible to manage a plurality of storage devices 20 in a consolidated (integrated) manner. Under such conditions, by introducing the Integrated management program A (Pa) into the administration computer 10 , consolidated management of the storage devices is possible through the Integrated management program A (Pa).
- FIG. 3is an illustration of functional blocks realized by the administration computer pertaining to First embodiment.
- FIG. 4is an illustration of an exemplary user management table in the management program B (Pb).
- FIG. 5is an illustration of an exemplary authority to execute definition table defining executable operations by means of defined authority to execute.
- FIG. 6is an illustration of an exemplary operation definition table that defines content of executable operations by means of defined operations.
- FIG. 7is a flowchart showing the processing routine executed by the management program A (Pa) (invoking program).
- FIG. 8is a flowchart showing the processing routine executed by the management program B (Pb) (invoked program).
- the programs and modulesare executed by the CPU 11 .
- the processing routine shown in FIG. 7is initiated, for example, by running the management program A (Pa) from the client computer 30 .
- the CPU 11executes the request receiving module Ma 1 , and receives the authentication information and process request input from the client computer 30 .
- Authentication informationconsists of account information necessary for authentication, for example, a user name and password; the process request is, for example, a request to create a new logical volume in the storage device 20 .
- the CPU 11then executes the authentication information acquiring module Ma 2 and acquires the received authentication information.
- the CPU 11executes the authentication module Ma 3 and executes authentication for the management program A (Pa) (Step S 100 ). Specifically, the CPU 11 searches the user information and determines whether authentication information exists for the management program A (Pa) in question. In the event that authentication information can be verified to exist, i.e. authentication is successful (Step S 100 : Yes), the CPU 11 runs the execution authority establishing module Ma 4 . If on the other hand authentication information cannot be verified to exist, i.e. authentication is not successful (Step S 100 : No), the client computer 30 is informed to the effect that authentication failed, and the processing routine terminates.
- the CPU 11executes the execution authority establishing module Ma 4 , and on the basis of the user management table establishes in the management program A (Pa) authority to execute assigned to the user. For example, the authority to invoke the management program B (Pb) via the management program A (Pa), the authority to modify settings in the management program A (Pa), or authority settings denying either or both of these are established.
- the CPU 11executes the request executing module Ma 5 , and depending on the established authority to execute, executes the request input from the client computer 30 . In the event that the request input from the client computer 30 invokes the management program B (Pb), and authority to invoke the management program B (Pb) via the management program A (Pa) is verified, the CPU 11 executes the external program invoking module Ma 6 .
- the CPU 11identifies the invoked program that is to be invoked by the request from the client computer 30 (Step S 110 ). Specifically, in association with the request input from the client computer 30 , there is identified the storage device 20 constituting the target to which access is being requested and which is targeted for execution of the process requested by the LUN, and thus the management program managing the identified storage device 20 , namely, the management program B (Pb) in this embodiment, can be identified.
- the CPU 11also determines whether the authentication information input from the client computer 30 is used in common by the invoking management program and the invoked management program (Step S 120 ). For example, it can be determined whether the invoked management program is integrated with the invoking management program.
- management program A (Pa) and management program B (Pb)are integrated, a single set of authentication information is shared in common by the management program A (Pa) and management program B (Pb).
- management program A (Pa) and management program B (Pb)are not integrated, individual identifying information will be required for each, and it will therefore be necessary to convert to authentication information corresponding to the management program B (Pb). Conversion is carried out, for example, using a table that associates authentication information in the management program A (Pa) with authentication information in the management program B (Pb) for a given user, as the user information of the management program A (Pa).
- Step S 120If authentication information is shared in common (Step S 120 : Yes), the CPU 11 acquires the authentication information input from the client computer 30 (Step S 130 ), as authentication information that is valid in the invoked program.
- Step S 120If authentication information is shared in common (Step S 120 : No), the CPU 11 converts the authentication information input from the client computer 30 into authentication information that is valid in the invoked program (Step S 140 ).
- the CPU 11invokes the management program B (Pb), and sends the acquired or converted authentication information and the request, and identifying information for identifying the management program A (Pa) (program ID) to the management program B (Pb) (Step S 150 ), and then terminates the routine.
- program IDthere is used at least one item of information such as program name, program product ID, folder configuration (e.g. a file indicating the version), registry key.
- the management program B(Pb) initiates the processing routine shown in FIG. 8 .
- the CPU 11executes the request receiving module Mb 1 , and receives the authentication information and process request, and the program ID, sent from the management program A (Pa) (Step S 200 ).
- the CPU 11executes the authentication information acquiring module Mb 2 , acquires the received authentication information, executes the user authentication module Mb 3 , and determines whether the authentication information is correct (Step S 210 ). Specifically, the CPU 11 searches the user information and searches for whether the corresponding authentication information exists.
- the user management table shown in FIG. 4may be employed as user information, for example. That is, the user information includes a user ID for identifying the user, and a password for determining (verifying) whether the user ID has been input by the proper user. If the CPU 11 determines that the authentication information is not correct, i.e. that there is no corresponding authentication information (Step S 210 : No), the CPU 11 suspends the process, returns an Authentication Failed status to the client computer 30 (Step S 220 ), and terminates the processing routine.
- CPU 11determines that the authentication information is correct, i.e. that corresponding authentication information exists (Step S 210 : Yes), CPU 11 runs the execution authority establishing module Mb 4 .
- the CPU 11acquires authority to execute information (the user management table) for the authenticated user (Step S 230 ), compares the received program ID with the program ID included in the acquired authority to execute information (Step S 240 ), and determines whether authority to execute corresponding to the received program ID are defined (Step S 250 ).
- the program IDfor example, there is used program name, program product ID, folder configuration (e.g. a file indicating the version), registry key, and thus information enabling the program IDs to be compared and authenticated is stored by way of user information of the management program B (Pb).
- the user management table shown in FIG. 4it is determined whether a program ID corresponding to the received program ID exists in the user management table.
- Step S 250If the CPU 11 determines that authority to execute have been defined for the received program ID (Step S 250 : Yes), the defined authority to execute are established as authority to execute for the management program B (Pb) (Step S 260 ). On the other hand, if the CPU 11 determines that authority to execute have not been defined for the received program ID (Step S 250 : No), the CPU 11 suspends the process, returns an Authentication Failed status to the client computer 30 (Step S 220 ), and terminates the processing routine.
- system operation settingspermit carrying out of system settings, which are settings for operating programs, including host name, host number, and other server settings; resource operations include both resource modifications, i.e. creating, modifying, and deleting logical units, as well as resource reference, whereas resource reference operations permit only resource reference.
- the CPU 11executes the request executing module Mb 5 , and depending on the established authority to execute, executes the request input from the client computer 30 (Step S 270 ), and terminates the processing routine.
- an external program invoking module Mb 6may be provided for the purpose of invoking the management program C.
- FIG. 9is a simplified illustration of the computer system.
- FIG. 10is a flowchart showing the processing routine executed in the event that the management program B (Pb) is executed from a client computer via the management program A (Pa).
- FIG. 11is a flowchart showing the processing routine executed in the event that the management program B (Pb) is executed directly from a client computer.
- the computer systemcomprises a client computer 30 , an administration computer 10 , and first and second storage devices 201 , 202 .
- client computer 30On the client computer 30 are stored an integrated management client program 31 that executes a storage integrated operation management program Pa (invoking program) stored on computer 10 ; and first and second individual management client programs 32 , 33 for executing first and second storage device management programs Pb, Pc (invoked programs).
- Pastorage integrated operation management program
- Pb, Pcinvoked programs
- the storage integrated operation management program Pa 1comprises an authentication module Mpa 1 that carries out user authentication, a storage operation module Mpa 2 that carries out operations on the storage devices, a storage operation information managing module Mpa 3 that manages information for storage operation, and a user information storage module Mpa 4 that stores user information including authentication information needed for authentication.
- the storage operation information management module Mpa 3are stored device information relating to resource status/operating status of the first and second storage devices 201 , 202 ; system configuration information for the host and service server; and operation policies including backup schedule, countermeasures in the event a malfunction occurs, and security policy.
- the first and second storage device management programs Phi, Pc 1each comprise an authentication module Mpb 1 , Mpc 1 that carries out user authentication; a storage operation module Mpb 2 , Mpb 3 that carries out operations on the storage device 201 , 202 ; and a user information storage module Mpb 3 , Mpc 3 that stores user information including authentication information needed for authentication.
- the first and second storage devices 201 , 202are each configured as a RAID composed of several disk devices, and have one or several logical units (LU).
- the user 1inputs to the client computer 30 authentication information for logging in to the management program A (Pa 1 ), and a new volume creation request to the first storage device 201 (Step U 1 ).
- the integrated management client program 31 of the client computer 30sends the input authentication information and volume creation request to the management program A (Pa 1 ) (Step C 1 ).
- the administration computer 10(CPU) executes the management program A (Pa 1 ), and performs user authentication by means of the authentication module Mpa 1 (Step PaS 1 ).
- the administration computer 10In the event that user authentication is successful, the administration computer 10 , by means of the storage operation information management module Mpa 3 , runs the management program that manages the target storage device, for example, the management program B (Pb 1 ), and sends to the management program B (Pb 1 ) authentication information for the management program B (Pb 1 ) and identifying information (program ID) for the management program A (Pa 1 ) (Step PaS 2 ). In the event that user authentication fails, the administration computer 10 notifies the client computer 30 of authentication failure, so that the user 1 can be notified of the authentication failure to the management program A (Pa 1 ), for example, by means of the display screen of the administration computer 10 .
- the administration computer 10executes the management program B (Pb 1 ), and using the authentication information for the management program B (Pb 1 ) and the ID of the management program A (Pa 1 ), performs user authentication by means of the authentication module Mpb 1 (Step PbS 1 ); in the event that authentication fails (Step PbS 2 : No), it notifies the management program A (Pa 1 ) of the authentication failure.
- the management program A (Pa 1 )sends an Authentication Failed notification to the client computer 30 (Step PaS 3 ).
- the user 1can be notified of the authentication failure to the management program B (Pb 1 ), for example, by means of the display screen of the client computer 30 .
- Step PbS 2the administration computer 10 establishes the user authority to execute assigned to the user 1 as authority to execute having a “resource modification authority” (Step PbS 3 ).
- the administration computer 10executes the storage operation module Mpb 2 and requests the first storage device 201 to create the volume.
- the first storage device 201creates the requested volume, for example, via a disk adapter (Step SS 1 ).
- Step SS 1the volume creation process is complete, the first storage device 201 sends Volume Created notification to the management program B (Pb 1 ) (Step SS 2 ).
- the management program B (Pb 1 )notifies the management program A (Pa 1 ) to the effect that the volume has been successfully created (Step PbS 4 ).
- the management program A (Pa 1 )stores information for the newly created volume as device information in the storage operation information management module Mpa 3 , and requests the client computer 30 to display a successful volume creation display screen (Step PaS 4 ). By confirming the successful volume creation display displayed on the display screen of the client computer 30 , the user 1 can be notified of successful creation of a new volume in the first storage device 201 .
- the user 1inputs to the client computer 30 authentication information for logging in to the management program B (Pb 1 ), and a new volume creation request to the first storage device 201 (Step U 10 ).
- the first individual management client program 32 of the client computer 30sends the input authentication information and volume creation request to the management program B (Pb 1 ) (Step C 10 ).
- the administration computer 10executes the management program B (Pb 1 ), and performs user authentication by means of the authentication module Mpb 1 (Step PbS 10 ) using the authentication information of the management program B (Pb 1 ).
- Step PbS 11No
- the client computer 30is notified of the authentication failure.
- the client computer 30displays the authentication failure on the display screen, so that the user 1 can be notified of the authentication failure with respect to the management program B (Pb 1 ), through the display screen of the client computer 30 .
- Step PbS 11the administration computer 10 establishes the user authority to execute assigned to the user 1 as authority to execute having a “resource reference authority” (Step PbS 12 ). Specifically, since there is no program ID (identifying information) of the management program A (Pa 1 ), a high authority level enabling modification of resource status is not established. Since the user 1 is only granted resource reference authority, the administration computer 10 notifies the client computer 30 that the user 1 does not have volume creation authority (Step PaS 13 ). Through the display screen of the client computer 30 , the user 1 can be notified that volume creation is not allowed.
- the desired access controlcan be carried out depending on the mode of program interaction (the program startup mode, invoking mode). More specifically, in cases where a storage device is managed by means of an invoking program (storage integrated operation management program Pa, Pa 1 ) invoking an invoked program (storage device management program Pb, Pb 1 , Pc 1 ), high authority to execute can be assigned to the user, whereas in cases where management of a storage device is executed directly by means of an invoked program, low authority to execute can be assigned to the user.
- the mode of program interactionthe mode of program interaction
- authority to executecan be established in such a way that where an invoked program is executed through an invoking program, resource modification to the storage device 20 and modification of system settings can be permitted, while in the case of direct execution by an invoked program, only reference to resources of the storage device 20 is permitted.
- the storage integrated operation management program Pafails to be notified of the resource modification, so that execution of the storage integrated operation management program Pa is impaired.
- the storage integrated operation management program Pais not notified of the fact that the volume targeted in the backup schedule has been deleted, an error will occur when the backup process is executed.
- the storage device management program Pbhas been run directly, and the access address for a volume has been changed, the problem of inability of the storage integrated operation management program Pa to access the desired address will occur.
- identifying information of the invoking programis utilized, so that it is possible to quickly and accurately determine whether an invoked program has been executed through the agency of the invoking program, or whether an invoked program has been executed directly. Additionally, establishment of authority to execute over a wide range depending on the invoking program is possible as well.
- Authority to executemay be granted as in the following examples as well.
- the access restrictions of the invoked programmay be the same, regardless of the route by which the invoked program is invoked.
- invoking programis a monitoring program
- reference authorityin the event of running from the invoking program, reference authority will not be granted without exception.
- FIG. 12is a simplified illustration of the computer system pertaining to Second embodiment.
- FIG. 13is an illustration of functional blocks realized by the administration computer pertaining to Second embodiment.
- the administration computer 100 pertaining to Second embodimenthas a basic arrangement similar to the administration computer 10 pertaining to First embodiment, with the exception of a different arrangement of the modules stored in the management programs; since the arrangement of the storage device in Second embodiment is similar to the arrangement of the storage device 20 in First embodiment, symbols identical to the symbols used in First embodiment are used, and detailed description of arrangements is not provided.
- an authentication computer 60apart from the administration computer 100 , there is additionally provided an authentication computer 60 , with authentication processes for the management programs Pa 2 , Pb 2 being executed in the authentication computer 60 .
- the authentication computer 60comprises a CPU 61 for executing authentication processes; a cache 62 for temporary storage of authentication information used for authentication, or authentication results; memory 63 for storing an authentication program Pd and user information Uid; and an I/O interface 64 that executes communication with the administration computer 100 and the client computers 30 , 31 , 32 via the local area network 40 .
- the management program A (Pa 2 ) and management program B (Pb 2 )are not provided with the modules needed for user authentication.
- the authentication program Pd of the authentication computer 60comprises a sending/receiving module ML 1 that sends and receives authentication information and authentication results to and from the management programs in the administration computer 100 , an authentication information acquiring module ML 2 that acquires authentication information from received authentication information, a user authentication module ML 3 that executes user authentication, an execution authority establishing module ML 4 that establishes authority to execute depending on the order of program execution, and user information Uid.
- the CPU 11executes the request receiving module Ma 1 , and receives the authentication information and process request input from the client computer 30 .
- Authentication informationconsists of account information necessary for authentication, for example, a user name and password; the process request is, for example, a request to create a new logical volume in the storage device 20 .
- the CPU 11executes the authentication information acquiring module Ma 2 , acquires the received authentication information, and sends to the authentication computer 60 authentication information for the acquired the management program A (Pa 2 ).
- the CPU 61executes the sending/receiving module ML 1 , and receives identifying information sent from the management program A (Pa 2 ).
- the CPU 61executes the authentication information acquiring module ML 2 and acquires the received authentication information.
- the CPU 61executes the user authentication module ML 3 , and executes authentication with respect to the management program A (Pa 2 ). Specifically, the CPU 61 searches the user information and determines whether authentication information exists for the management program A (Pa 2 ) in question. In the event that authentication is successful, the CPU 61 runs the execution authority establishing module ML 4 . If on the other hand authentication is not successful the CPU 61 informs the client computer 30 via the management program A to the effect that authentication failed.
- the CPU 61executes the execution authority establishing module ML 4 , on the basis of the user management table, authority to execute assigned to the user are established in the management program A (Pa 2 ). For example, the authority to invoke the management program B (Pb 2 ) via the management program A (Pa 2 ), the authority to modify settings in the management program A (Pa 2 ), or authority settings denying either or both of these are established, The CPU 61 sends the established authority to execute to the request executing module Ma 5 of the management program A (Pa 2 ) via the sending/receiving module ML 1 .
- the CPU 11executes the request executing module Ma 5 , and depending on the established authority to execute, executes the request input from the client computer 30 .
- the CPU 11executes the external program invoking module Ma 6 .
- the CPU 11by means of the request from the client computer 30 , identifies the invoked program to be invoked, as described in First embodiment.
- the CPU 11invokes the identified invoked program, for example, the management program B (Pb 2 ), and requests the invoked program to send authentication information and program identifying information (program ID) of the management program A (Pa 2 ).
- the management program B (Pb 2 )is run by means of being invoked by the management program A (Pa 2 ).
- the CPU 11executes the request receiving module Mb 1 , and receives the authentication information and process request, and the program ID, sent from the management program A (Pa) (Step S 200 ).
- the CPU 11executes the authentication information acquiring module Mb 2 , acquires the received authentication information, and sends the authentication information for the acquired the management program B (Pb 2 ) to the authentication computer 60 .
- the CPU 61executes the sending/receiving module ML 1 , and receives identifying information send from the management program B (Pb 2 ).
- the CPU 61executes the authentication information acquiring module ML 3 and acquires the received authentication information.
- the CPU 61executes the user authentication module ML 3 and executes authentication with respect to the management program B (Pb 2 ). Specifically, the CPU 61 searches the user information and determines whether authentication information exists for the management program B (Pb 2 ) in question. In the event that user authentication is successful, the CPU 61 runs the execution authority establishing module ML 4 . On the other hand, in the event that authentication is not successful, the CPU 61 notifies the client computer 30 of the authentication failure via the management program B (Pb 2 ).
- the CPU 61sends the established authority to execute to the request executing module Mb 5 of the management program B (Pb 2 ) via the sending/receiving module ML 1 .
- the management program B (Pb 2 )there has been prepared an operation definition table that defines the contents of operating processes that can be executed in association with authority to execute.
- the CPU 11 that has received the established authority to executeexecutes the request executing module Mb 5 , refers to the operation definition table and determines those operation processes that will be permitted for the established authority to execute, and executes the request input from the client computer 30 .
- the management program B (Pb 2 )has been run directly by the client computer 30 , even if the request input from the client computer 30 is one to modify a resource in the storage device 20 , since only resource reference operation processes are authorized, the request will not be executed. If on the other hand the management program B (Pb 2 ) has been run via the management program A (Pa 2 ), the requested resource modification process will be executed.
- the fact that an authentication computer 60 separate from the administration computer 10 is providedcan also reduce the load on the administration computer 10 . That is, since authentication processes for the management programs can be executed in the authentication computer 60 , there is no need to provided the administration computer 10 with the modules needed for authentication processes, nor is there any need to assign computing resources for executing authentication processes.
- FIG. 14is an illustration of an exemplary user management table used for establishing authority to execute in the management program B when four management programs interact and execute management of the storage device 20 .
- authority to executecan be established depending on the management program executed prior to execution of the management program B. Also, where time information, i.e. order information can be appended to the program ID, authority to execute can be established depending on the order in which management programs are run prior to execution of the management program B. Specifically, where for example the management program B interacts with external program C, and the management program B has acquired a program ID from another program (Program A, for example), order information, after appending a comma to the end of the program ID by the external program invoking module of the management program Pb, order information is generated by linking the program ID of the management program B.
- program Aprogram A
- the order information generated in this manneris sent to Program C.
- Management of the program ID acquired by the management program Bis stored in memory in a predetermined field in the management program B; the external program invoking module refers to the field, and in the event that a program ID is present, executes the process mentioned above, or if not present, sends only the program ID of the management program B to Program C.
- authority to executecan be established with a higher level of detail, depending on the execution environment of the management program.
- FIG. 15is an illustration of an exemplary authentication information management table for managing authentication information.
- FIG. 16is an illustration of an exemplary program information management table for administering program information.
- the authentication information table shown in FIG. 15is used to establish authority to execute by means of combinations of user IDs and passwords.
- the program information management table shown in FIG. 16is used to define operations executable depending on the route by which a program is run and the authority to execute. For example, in the case of “User” authority to execute, regardless of the route by which a program is run, modification of resources of the storage device 20 will not be permitted, with only reference to resources being permitted.
- administeringin the event that the management program B has been run via the management program A, modification of resources of the storage device 20 will be permitted, whereas if the management program B has been run directly, only reference to resources of the storage device 20 will be permitted. That is, in addition to authority to execute determined on the basis of user ID and password, operations that will ultimately be executable for resources of the storage device 20 are determined with reference to the route by which management program is run.
- the invoking program executing module that executes the invoking program and the invoked [program] executing module that executes the invoked programare realized by means of a single CPU 11 , there could instead be provided a number of CPUs, with the invoking program executing module and the invoked program executing module being realized respectively by the CPUs.
- the management program (Pb)comprises cross-check information with the program ID (program running route) of the management program A (the invoking program), it would be possible instead to prepare an interface in the management program A on a per-management program basis, with the management program A providing a program ID (program running route) depending on the interface.
- the authentication computer 60sends authority to execute established with respect to the management program B (Pb 2 ), it would be possible to make notification of whether execution of a request input from the client computer 30 is Allowed or Not Allowed, rather than of authority to execute.
- Thishas the advantage that there is no need in the management program B (Pb 2 ) for a table that associates authority to execute with executable operation processes.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Description
- This application relates to and claims priority from Japanese Patent Application No. 2004-315583, filed on Oct. 29, 2004, the entire disclosure of which is incorporated by reference.
- This invention relates to a computer that executes processes requested interactively by a multiplicity of programs, and to an access control method for a multiplicity of interacting programs.
- A storage system (storage array device) comprises independent storage management programs, with various processes requested by users being executed on the storage device via the storage management programs. When a storage system is to be operated in an integrated fashion, an integrated management program that carries out overall management of the storage management programs on the storage device is installed. The integrated management program invokes the relevant storage management program and executes a process requested by a user via the invoked up storage management program.
- In an environment in which a plurality of storage systems are integrated, a given resource of a storage system can be accessed either directly via an individual storage management program, or indirectly via an integrated management program that calls up the relevant storage management program. In this instance, if the status of a storage system resource is modified directly by an individual storage management program, a discrepancy with the resource status retained by the integrated management program may occur. Additionally, if the status of a given resource of a storage system is modified simultaneously by a multiplicity of storage management programs, discrepancies may arise among resource status retained by the different storage management programs.
- This had been addressed in the past by means of operation to prevent modification of resources by storage management programs that a client (user) directly uses storage management programs, or by making private the accounts of storage management programs whose use is to be restricted, with only an integrated management program retained internally. Various other technologies for limiting user authority in consideration of interaction among programs are known as well.
- However, a problem with an approach involving operation to prevent modification of a resource by storage management programs that a client (user) directly uses is that as long as there is a user who does not comply with the operation, the desired effect cannot be achieved. Also, where accounts of storage management programs whose use is to be restricted are made private with only an integrated management program retained internally, it becomes necessary to create a private account for each user or each authority, creating the problem of increased management costs. Further, with technologies that limit user authority, interaction of programs is not taken into consideration, so that it is not possible to solve the aforementioned problems in environments where a plurality of storage systems are integrated.
- With the foregoing in view, there is need to provide, in a computer that executes processes requested by interaction of a plurality of programs, a way to determine authority to execute for programs depending on the program usage mode.
- The invention addresses the problem by providing a computer that executes processes requested by interaction of a plurality of programs. The computer pertaining to the present invention comprises a receiving module that requests a process and acquires authenticating information; an invoking program executing module that invokes a program executing module for executing a process corresponding to said acquired request, said invoking program executing module sending to the invoked program executing module identifying information for identifying said invoking program executing module and said acquired authenticating information; and an invoked program executing module that by being invoked by said invoking program executing module, or by directly receiving a request, executes the requested process, said invoked program executing module having an authenticating module that uses said authenticating information and the identifying information of said invoking program executing module to establish authority to execute for said invoked program executing module.
- According to the computer pertaining to the invention, identifying information for identifying the invoking program executing module and acquired authenticating information are sent to the invoking program executing module, whereupon the authenticating information and the invoking program executing module identifying information are used to establish authority to execute for said invoked program executing module, whereby in a computer that executes processes requested interactively by a multiplicity of programs, authority to execute for programs can be determined according to program usage mode.
- The computer pertaining to the present invention can also be reduced to practice as an access control method, an access control program, and a computer-readable recording medium having an access control program recorded thereon.
- The following description of the computer and access control method which pertain to the invention is made on the basis of embodiments, with reference to the accompanying drawings.
FIG. 1 is a simplified illustration of the computer system pertaining to First Embodiment.FIG. 2 is an illustration of modules stored in the memory of the computer in First embodiment.FIG. 3 is an illustration of functional blocks realized by the administration computer pertaining to First embodiment.FIG. 4 is an illustration of an exemplary user management table in management program B.FIG. 5 is an illustration of an exemplary authority to execute definition table defining executable operations by means of defined authority to execute.FIG. 6 is an illustration of an exemplary operation definition table that defines content of executable operations by means of defined operations.FIG. 7 is a flowchart showing the processing routine executed by management program A (invoking program).FIG. 8 is a flowchart showing the processing routine executed by management program B (invoked program).FIG. 9 is a simplified illustration of a computer system.FIG. 10 is a flowchart showing the processing routine executed in the event that management program B is executed from a client computer via management program A.FIG. 11 is a flowchart showing the processing routine executed in the event that management program B is executed directly from a client computer.FIG. 12 is a simplified illustration of the computer system pertaining to Second Embodiment.FIG. 13 is an illustration of functional blocks realized by the administration computer pertaining to Second embodiment.FIG. 14 is an illustration of an exemplary user management table used for establishing authority to execute in management program B when four management programs interact and execute management of thestorage device 20.FIG. 15 is an illustration of an exemplary authentication information management table for managing authentication information.FIG. 16 is an illustration of an exemplary program information management table for administering program information.- The following description of the computer system pertaining to First embodiment makes reference to
FIG. 1 andFIG. 2 .FIG. 1 is a simplified illustration of the computer system pertaining to First embodiment.FIG. 2 is an illustration of modules stored in the memory of the computer in First embodiment. - The
computer 10 in First embodiment is an administration computer (administration server computer) that manages a storage device, for example, carrying out creation of volumes in the storage derive, assigning a host, and setting zoning and LUN masking; it is connected to one or a plurality ofstorage devices 20 and to anetwork 40. Thenetwork 40 is a local area network (LAN) with Ethernet (registered trademark) architecture, that carries out transmission of data using the TCP/IP communications protocol.Client computers network 40; theclient computers 30 to32 execute management of thestorage device 20 via theadministration computer 10. - A
service host computer 50 is connected to thenetwork 40, and theservice host computer 50 is connected to thestorage device 20 via a SAN (Storage Area Network)41. Theservice host computer 50 executes a database management system (DBMS) or other service program in response to requests from theclient computers 30 to32, and writes process results to thestorage device 20, or utilizes an information resource stored in thestorage device 20. A Fibre Channel or iSCSI communications protocol is used in the SAN. - The
computer 10 comprises aCPU 11, amemory 12, a rear end I/O interface 13, and a front end I/O interface 14. TheCPU 11, thememory 12, the rear end I/O interface 13, and the front end I/O interface 14 are interconnected via a bus. TheCPU 11 is a processing unit that executes various programs and modules stored in thememory 12. Thememory 12 is a so-called internal storage device, and includes both nonvolatile memory storing the various modules etc., and volatile memory for temporary storage of operation results. The rear end I/O interface 13 is connected to thestorage device 20 via a local area network (LAN). The front end I/O interface 14 is connected to thenetwork 40, and executes sending and receiving of commands and data among theclient computers 30 to32 using the TCP/IP protocol. - The
storage device 20 comprises adisk array controller 21, acache 22, a plurality ofdisk devices 23, and an I/O interface 24. Thedisk array controller 21 is a control circuit that executes control processes of various kinds on thestorage device 20, and comprises aCPU 211,memory 212, and an I/O port. Thecache 22 is a kind of memory device for temporary storage of data that is to be written to adisk device 23, or of data being read from adisk device 23. - The
disk devices 23 are provided as a disk array device of RAID configuration composed of a plurality of magnetic hard disk drives, the plurality of magnetic hard disk drives constituting one or several logical units (LU), or as a single hard disk drive have one or several memory areas, i.e. logical units (LU). Access to each logical unit is carried out using a logical unit number (LUN) and a logical block address (LBA). The I/O interface 24 is connected to the rear I/O interface 13 of theadministration computer 10 via a signal line. - The
client computers 30 to32 are, for example, terminal devices for input or output of data of various kinds, and via theservice host computer 50 execute, for example, database management processes, and execute writing of processed data to thestorage device 20 and reading of data from thestorage device 20. Theclient computers 30 to32 also carry out management of thestorage device 20 via theadministration computer 10. Theclient computers 30 to32 may instead be a single computer, or four or more. - The following description of the various programs and modules stored in the
memory 12 makes reference toFIG. 1 andFIG. 2 . Thememory 12 has stored therein a send/receive process program Pr1 for exchange of data and requests with the client computers, a management program A (Pa), a management program B (Pb), a management program C, and user information utilized by each of the management programs, stored in association with the respective management programs. By way of example,FIG. 2 shows the management program A (Pa) and the details of the user information Uia utilized by the management program A (Pa). - The management program A (Pa) is an integrated storage management program that handles in an integrated manner the management program B (Pb) and C (Pc) provided to each of the
storage devices 20, and corresponds to the invoking (first) program. With the management program A (Pa), there are carried out processes that span several storage devices, and that cannot be managed by the individual management programs B (Pb) and C (Pc) provided to each of thestorage devices 20. For example, the management program A (Pa) provides a storage pool function whereby a number of storage devices are managed as a single virtual storage device, backup schedule management of the logical volumes (logical units) of a storage device, and restriction management of access to the logical volumes. - The management program A (Pa) comprises a request receiving module Ma1 that receives requests and authentication information from the
client computer 30; an authentication information acquiring module Ma2 that acquires the received authentication information; a user authentication module Ma3 that carries out user authentication using authentication information; an execution authority establishing module Ma4 that uses a program ID to establish authority to execute for an invoked program; a request executing module Ma5 that executes requests input from theclient computer 30; and an external program invoking module Ma6 that executes identification of an invoked program and invocation of the invoked program. - The user information Uia comprises a user management table Uia1, an execution authority definition table Uia2, and an operation definition table Uia3, described later.
- The management programs B (Pb) and C (Pc) likewise comprise similar modules. The management programs B (Pb) and C (Pc) are assigned on a one-to-one basis to any single storage device, and execute various management processes in the corresponding storage device. The management programs B (Pb) and C (Pc) provided to the individual storage devices correspond to invoked (second) programs. The
CPU 11 corresponds to the invoked program executing module and the invoking program executing module. Alternatively, by viewing the management programs A (Pa), B (Pb) and C (Pc) executed by theCPU 11 as management program executing modules A (Pa), B (Pb) and C (Pc), the management program A executing module Pa can be considered as the invoking program executing module, and the management program B, C executing modules Pb, Pc as invoked program executing modules. - Typically, since the management programs B (Pb) and C into the
administration computer 10 are sequentially introduced each time that anadditional storage device 20 is provided, the individual storage devices20 a managed by the individual management programs, and thus it is not possible to manage a plurality ofstorage devices 20 in a consolidated (integrated) manner. Under such conditions, by introducing the Integrated management program A (Pa) into theadministration computer 10, consolidated management of the storage devices is possible through the Integrated management program A (Pa). - The following description of the access control process executed during program interactive process in the
administration computer 10 makes reference toFIG. 3 toFIG. 8 .FIG. 3 is an illustration of functional blocks realized by the administration computer pertaining to First embodiment.FIG. 4 is an illustration of an exemplary user management table in the management program B (Pb).FIG. 5 is an illustration of an exemplary authority to execute definition table defining executable operations by means of defined authority to execute.FIG. 6 is an illustration of an exemplary operation definition table that defines content of executable operations by means of defined operations.FIG. 7 is a flowchart showing the processing routine executed by the management program A (Pa) (invoking program).FIG. 8 is a flowchart showing the processing routine executed by the management program B (Pb) (invoked program). The programs and modules are executed by theCPU 11. - The processing routine shown in
FIG. 7 is initiated, for example, by running the management program A (Pa) from theclient computer 30. TheCPU 11 executes the request receiving module Ma1, and receives the authentication information and process request input from theclient computer 30. Authentication information consists of account information necessary for authentication, for example, a user name and password; the process request is, for example, a request to create a new logical volume in thestorage device 20. - The
CPU 11 then executes the authentication information acquiring module Ma2 and acquires the received authentication information. TheCPU 11 executes the authentication module Ma3 and executes authentication for the management program A (Pa) (Step S100). Specifically, theCPU 11 searches the user information and determines whether authentication information exists for the management program A (Pa) in question. In the event that authentication information can be verified to exist, i.e. authentication is successful (Step S100: Yes), theCPU 11 runs the execution authority establishing module Ma4. If on the other hand authentication information cannot be verified to exist, i.e. authentication is not successful (Step S100: No), theclient computer 30 is informed to the effect that authentication failed, and the processing routine terminates. - The
CPU 11 executes the execution authority establishing module Ma4, and on the basis of the user management table establishes in the management program A (Pa) authority to execute assigned to the user. For example, the authority to invoke the management program B (Pb) via the management program A (Pa), the authority to modify settings in the management program A (Pa), or authority settings denying either or both of these are established. - The
CPU 11 executes the request executing module Ma5, and depending on the established authority to execute, executes the request input from theclient computer 30. In the event that the request input from theclient computer 30 invokes the management program B (Pb), and authority to invoke the management program B (Pb) via the management program A (Pa) is verified, theCPU 11 executes the external program invoking module Ma6. - The
CPU 11 identifies the invoked program that is to be invoked by the request from the client computer30 (Step S110). Specifically, in association with the request input from theclient computer 30, there is identified thestorage device 20 constituting the target to which access is being requested and which is targeted for execution of the process requested by the LUN, and thus the management program managing the identifiedstorage device 20, namely, the management program B (Pb) in this embodiment, can be identified. TheCPU 11 also determines whether the authentication information input from theclient computer 30 is used in common by the invoking management program and the invoked management program (Step S120). For example, it can be determined whether the invoked management program is integrated with the invoking management program. - When the management program A (Pa) and management program B (Pb) are integrated, a single set of authentication information is shared in common by the management program A (Pa) and management program B (Pb). On the other hand, when the management program A (Pa) and management program B (Pb) are not integrated, individual identifying information will be required for each, and it will therefore be necessary to convert to authentication information corresponding to the management program B (Pb). Conversion is carried out, for example, using a table that associates authentication information in the management program A (Pa) with authentication information in the management program B (Pb) for a given user, as the user information of the management program A (Pa).
- If authentication information is shared in common (Step S120: Yes), the
CPU 11 acquires the authentication information input from the client computer30 (Step S130), as authentication information that is valid in the invoked program. - If authentication information is shared in common (Step S120: No), the
CPU 11 converts the authentication information input from theclient computer 30 into authentication information that is valid in the invoked program (Step S140). - The
CPU 11 invokes the management program B (Pb), and sends the acquired or converted authentication information and the request, and identifying information for identifying the management program A (Pa) (program ID) to the management program B (Pb) (Step S150), and then terminates the routine. As the program ID, there is used at least one item of information such as program name, program product ID, folder configuration (e.g. a file indicating the version), registry key. - Through invocation from the management program A (Pa), the management program B (Pb) initiates the processing routine shown in
FIG. 8 . TheCPU 11 executes the request receiving module Mb1, and receives the authentication information and process request, and the program ID, sent from the management program A (Pa) (Step S200). TheCPU 11 executes the authentication information acquiring module Mb2, acquires the received authentication information, executes the user authentication module Mb3, and determines whether the authentication information is correct (Step S210). Specifically, theCPU 11 searches the user information and searches for whether the corresponding authentication information exists. - The user management table shown in
FIG. 4 may be employed as user information, for example. That is, the user information includes a user ID for identifying the user, and a password for determining (verifying) whether the user ID has been input by the proper user. If theCPU 11 determines that the authentication information is not correct, i.e. that there is no corresponding authentication information (Step S210: No), theCPU 11 suspends the process, returns an Authentication Failed status to the client computer30 (Step S220), and terminates the processing routine. - If the
CPU 11 determines that the authentication information is correct, i.e. that corresponding authentication information exists (Step S210: Yes),CPU 11 runs the execution authority establishing module Mb4. TheCPU 11 acquires authority to execute information (the user management table) for the authenticated user (Step S230), compares the received program ID with the program ID included in the acquired authority to execute information (Step S240), and determines whether authority to execute corresponding to the received program ID are defined (Step S250). As noted, as the program ID, for example, there is used program name, program product ID, folder configuration (e.g. a file indicating the version), registry key, and thus information enabling the program IDs to be compared and authenticated is stored by way of user information of the management program B (Pb). - Specifically, using the user management table shown in
FIG. 4 , it is determined whether a program ID corresponding to the received program ID exists in the user management table. As the method for making the determination, it is acceptable to always assign some authority to execute to program IDs described in the user management table, and to determine whether a program ID corresponding to the received program ID exists in the user management table. Alternatively, it would be acceptable to describe all related program IDs in the user management table and to assign detailed authority to execute to each program ID, and make the determination on the basis of the authority to execute assigned to a particular program ID. - If the
CPU 11 determines that authority to execute have been defined for the received program ID (Step S250: Yes), the defined authority to execute are established as authority to execute for the management program B (Pb) (Step S260). On the other hand, if theCPU 11 determines that authority to execute have not been defined for the received program ID (Step S250: No), theCPU 11 suspends the process, returns an Authentication Failed status to the client computer30 (Step S220), and terminates the processing routine. - In the example of
FIG. 4 , in the event that Program A (Pa) is input as the program ID, “Administrator” authority to execute are established, whereas in the event that no program ID is input, i.e. where the management program B (Pb) has been run directly by theclient computer 30, “User” authority to execute are established. Generally, “Administrator” authority to execute are those intended to be assigned to the administrator, and that grant all authority to execute with respect to the management programs. On the other hand, “User” authority to execute are those intended to be assigned to ordinary users, and that grant only certain authority to execute with respect to the management programs. - As shown in
FIG. 5 , in the embodiment, the “Administrator” is granted all system operation settings, resource operations, and resource reference operations, whereas a “User” on the other hand is granted only resource reference operations. As shown inFIG. 6 , system operation settings permit carrying out of system settings, which are settings for operating programs, including host name, host number, and other server settings; resource operations include both resource modifications, i.e. creating, modifying, and deleting logical units, as well as resource reference, whereas resource reference operations permit only resource reference. - The
CPU 11 executes the request executing module Mb5, and depending on the established authority to execute, executes the request input from the client computer30 (Step S270), and terminates the processing routine. In the event that an additional management program C is invoked via the management program B (Pb), an external program invoking module Mb6 may be provided for the purpose of invoking the management program C. - The following detailed description of the access control process during the program interaction process in First embodiment makes reference to
FIG. 9 toFIG. 11 .FIG. 9 is a simplified illustration of the computer system.FIG. 10 is a flowchart showing the processing routine executed in the event that the management program B (Pb) is executed from a client computer via the management program A (Pa).FIG. 11 is a flowchart showing the processing routine executed in the event that the management program B (Pb) is executed directly from a client computer. - To briefly describe the arrangement of the computer system, the computer system comprises a
client computer 30, anadministration computer 10, and first andsecond storage devices client computer 30 are stored an integratedmanagement client program 31 that executes a storage integrated operation management program Pa (invoking program) stored oncomputer 10; and first and second individualmanagement client programs client computer 30 functions as the client program executing module that executes these client programs. - On
computer 10 are stored first and second storage device management programs Pb1, Pc1 for executing management of the first andsecond storage devices second storage devices - The first and second storage device management programs Phi, Pc1 each comprise an authentication module Mpb1, Mpc1 that carries out user authentication; a storage operation module Mpb2, Mpb3 that carries out operations on the
storage device - The first and
second storage devices - The following description of execution of the management program B (Pb) from the client computer via the management program A (the storage integrated operation management program Pa1) makes reference to
FIG. 10 . - The
user 1 inputs to theclient computer 30 authentication information for logging in to the management program A (Pa1), and a new volume creation request to the first storage device201 (Step U1). The integratedmanagement client program 31 of theclient computer 30 sends the input authentication information and volume creation request to the management program A (Pa1) (Step C1). The administration computer10 (CPU) executes the management program A (Pa1), and performs user authentication by means of the authentication module Mpa1 (Step PaS1). In the event that user authentication is successful, theadministration computer 10, by means of the storage operation information management module Mpa3, runs the management program that manages the target storage device, for example, the management program B (Pb1), and sends to the management program B (Pb1) authentication information for the management program B (Pb1) and identifying information (program ID) for the management program A (Pa1) (Step PaS2). In the event that user authentication fails, theadministration computer 10 notifies theclient computer 30 of authentication failure, so that theuser 1 can be notified of the authentication failure to the management program A (Pa1), for example, by means of the display screen of theadministration computer 10. - The
administration computer 10 executes the management program B (Pb1), and using the authentication information for the management program B (Pb1) and the ID of the management program A (Pa1), performs user authentication by means of the authentication module Mpb1 (Step PbS1); in the event that authentication fails (Step PbS2: No), it notifies the management program A (Pa1) of the authentication failure. Upon receiving notification of authentication failure, the management program A (Pa1) sends an Authentication Failed notification to the client computer30 (Step PaS3). Theuser 1 can be notified of the authentication failure to the management program B (Pb1), for example, by means of the display screen of theclient computer 30. - In the event that authentication to the management program B (Pb1) is successful (Step PbS2: Yes), the
administration computer 10 establishes the user authority to execute assigned to theuser 1 as authority to execute having a “resource modification authority” (Step PbS3). Theadministration computer 10 executes the storage operation module Mpb2 and requests thefirst storage device 201 to create the volume. Upon receiving the volume creation request, thefirst storage device 201 creates the requested volume, for example, via a disk adapter (Step SS1). When the volume creation process is complete, thefirst storage device 201 sends Volume Created notification to the management program B (Pb1) (Step SS2). - The management program B (Pb1) notifies the management program A (Pa1) to the effect that the volume has been successfully created (Step PbS4). The management program A (Pa1) stores information for the newly created volume as device information in the storage operation information management module Mpa3, and requests the
client computer 30 to display a successful volume creation display screen (Step PaS4). By confirming the successful volume creation display displayed on the display screen of theclient computer 30, theuser 1 can be notified of successful creation of a new volume in thefirst storage device 201. - The following description of direct execution of the first storage device the management program Pb (the management program B) by a client computer makes reference to
FIG. 11 . - The
user 1 inputs to theclient computer 30 authentication information for logging in to the management program B (Pb1), and a new volume creation request to the first storage device201 (Step U10). The first individualmanagement client program 32 of theclient computer 30 sends the input authentication information and volume creation request to the management program B (Pb1) (Step C10). Theadministration computer 10 executes the management program B (Pb1), and performs user authentication by means of the authentication module Mpb1 (Step PbS10) using the authentication information of the management program B (Pb1). In the event that user authentication fails (Step PbS11: No), theclient computer 30 is notified of the authentication failure. Theclient computer 30 displays the authentication failure on the display screen, so that theuser 1 can be notified of the authentication failure with respect to the management program B (Pb1), through the display screen of theclient computer 30. - In the event that authentication with respect to the management program B (Pb1) is successful (Step PbS11: Yes), the
administration computer 10 establishes the user authority to execute assigned to theuser 1 as authority to execute having a “resource reference authority” (Step PbS12). Specifically, since there is no program ID (identifying information) of the management program A (Pa1), a high authority level enabling modification of resource status is not established. Since theuser 1 is only granted resource reference authority, theadministration computer 10 notifies theclient computer 30 that theuser 1 does not have volume creation authority (Step PaS13). Through the display screen of theclient computer 30, theuser 1 can be notified that volume creation is not allowed. - As described hereinabove, according to the
administration computer 10 of First embodiment, in cases where a multiplicity of the management programs interact, the desired access control can be carried out depending on the mode of program interaction (the program startup mode, invoking mode). More specifically, in cases where a storage device is managed by means of an invoking program (storage integrated operation management program Pa, Pa1) invoking an invoked program (storage device management program Pb, Pb1, Pc1), high authority to execute can be assigned to the user, whereas in cases where management of a storage device is executed directly by means of an invoked program, low authority to execute can be assigned to the user. That is, authority to execute can be established in such a way that where an invoked program is executed through an invoking program, resource modification to thestorage device 20 and modification of system settings can be permitted, while in the case of direct execution by an invoked program, only reference to resources of thestorage device 20 is permitted. - As a result, it is possible to avoid a situation in which, for example, in the event the storage device management program Pb has been run directly, and a resource of the
storage device 20 has been modified, the storage integrated operation management program Pa fails to be notified of the resource modification, so that execution of the storage integrated operation management program Pa is impaired. Specifically, in the event that the storage device management program Pb has been run directly, and a volume targeted in the backup schedule by the storage integrated operation management program Pa has been deleted, if the storage integrated operation management program Pa is not notified of the fact that the volume targeted in the backup schedule has been deleted, an error will occur when the backup process is executed. Or, where the storage device management program Pb has been run directly, and the access address for a volume has been changed, the problem of inability of the storage integrated operation management program Pa to access the desired address will occur. - With the
administration computer 10 of First embodiment, on the other hand, in the event that the storage device management program Pb has been run via the storage integrated operation management program Pa, resource modifications to thestorage device 20 will be permitted, but in the event that the storage device management program Pb has been run directly, resource modifications to thestorage device 20 will not be permitted, thereby reducing or avoiding the occurrence of the problem mentioned above. - In the authentication process carried out in an invoked program, identifying information of the invoking program is utilized, so that it is possible to quickly and accurately determine whether an invoked program has been executed through the agency of the invoking program, or whether an invoked program has been executed directly. Additionally, establishment of authority to execute over a wide range depending on the invoking program is possible as well.
- Authority to execute may be granted as in the following examples as well.
- (a) When authority to execute of an invoked program is the same as compared to the case where there is no program ID.
- In cases where there is no effect on the invoking program even if an invoked program is executed directly (in the case that there is no effect on the processes of the invoking program), the access restrictions of the invoked program may be the same, regardless of the route by which the invoked program is invoked.
- (b) When low authority to execute is established for an invoked program as compared to the case where there is no program ID.
- In the case of an unregistered program or a program ID that is no longer supported, running from the program will not be permitted even if the program ID is successfully acquired.
- (c) When unique restrictions are imparted during program interaction.
- Where the invoking program is a monitoring program, in the event of running from the invoking program, reference authority will not be granted without exception.
- The following description of the computer system pertaining to Second embodiment makes reference to
FIG. 12 andFIG. 13 .FIG. 12 is a simplified illustration of the computer system pertaining to Second embodiment.FIG. 13 is an illustration of functional blocks realized by the administration computer pertaining to Second embodiment. Theadministration computer 100 pertaining to Second embodiment has a basic arrangement similar to theadministration computer 10 pertaining to First embodiment, with the exception of a different arrangement of the modules stored in the management programs; since the arrangement of the storage device in Second embodiment is similar to the arrangement of thestorage device 20 in First embodiment, symbols identical to the symbols used in First embodiment are used, and detailed description of arrangements is not provided. - In the computer system pertaining to Second embodiment, apart from the
administration computer 100, there is additionally provided anauthentication computer 60, with authentication processes for the management programs Pa2, Pb2 being executed in theauthentication computer 60. Theauthentication computer 60 comprises aCPU 61 for executing authentication processes; acache 62 for temporary storage of authentication information used for authentication, or authentication results;memory 63 for storing an authentication program Pd and user information Uid; and an I/O interface 64 that executes communication with theadministration computer 100 and theclient computers local area network 40. - In this embodiment, since a
separate authentication computer 60 is provided in addition to theadministration computer 100, as shown inFIG. 13 , the management program A (Pa2) and management program B (Pb2) are not provided with the modules needed for user authentication. Instead, the authentication program Pd of theauthentication computer 60 comprises a sending/receiving module ML1 that sends and receives authentication information and authentication results to and from the management programs in theadministration computer 100, an authentication information acquiring module ML2 that acquires authentication information from received authentication information, a user authentication module ML3 that executes user authentication, an execution authority establishing module ML4 that establishes authority to execute depending on the order of program execution, and user information Uid. - Following is a description of the access control process during program interaction in the computer system pertaining to Second embodiment.
- When, for example, the management program A (Pa2) is run from the
client computer 30, theCPU 11 executes the request receiving module Ma1, and receives the authentication information and process request input from theclient computer 30. Authentication information consists of account information necessary for authentication, for example, a user name and password; the process request is, for example, a request to create a new logical volume in thestorage device 20. TheCPU 11 executes the authentication information acquiring module Ma2, acquires the received authentication information, and sends to theauthentication computer 60 authentication information for the acquired the management program A (Pa2). - In the
authentication computer 60, theCPU 61 executes the sending/receiving module ML1, and receives identifying information sent from the management program A (Pa2). TheCPU 61 executes the authentication information acquiring module ML2 and acquires the received authentication information. TheCPU 61 executes the user authentication module ML3, and executes authentication with respect to the management program A (Pa2). Specifically, theCPU 61 searches the user information and determines whether authentication information exists for the management program A (Pa2) in question. In the event that authentication is successful, theCPU 61 runs the execution authority establishing module ML4. If on the other hand authentication is not successful theCPU 61 informs theclient computer 30 via the management program A to the effect that authentication failed. - When the
CPU 61 executes the execution authority establishing module ML4, on the basis of the user management table, authority to execute assigned to the user are established in the management program A (Pa2). For example, the authority to invoke the management program B (Pb2) via the management program A (Pa2), the authority to modify settings in the management program A (Pa2), or authority settings denying either or both of these are established, TheCPU 61 sends the established authority to execute to the request executing module Ma5 of the management program A (Pa2) via the sending/receiving module ML1. - The
CPU 11 executes the request executing module Ma5, and depending on the established authority to execute, executes the request input from theclient computer 30. In the event that the request input from theclient computer 30 invokes the management program B (Pb2), and authority to invoke the management program B (Pb2) via the management program A (Pa2) is verified, theCPU 11 executes the external program invoking module Ma6. - The
CPU 11, by means of the request from theclient computer 30, identifies the invoked program to be invoked, as described in First embodiment. TheCPU 11 invokes the identified invoked program, for example, the management program B (Pb2), and requests the invoked program to send authentication information and program identifying information (program ID) of the management program A (Pa2). - The management program B (Pb2) is run by means of being invoked by the management program A (Pa2). The
CPU 11 executes the request receiving module Mb1, and receives the authentication information and process request, and the program ID, sent from the management program A (Pa) (Step S200). TheCPU 11 executes the authentication information acquiring module Mb2, acquires the received authentication information, and sends the authentication information for the acquired the management program B (Pb2) to theauthentication computer 60. - In the
authentication computer 60, theCPU 61 executes the sending/receiving module ML1, and receives identifying information send from the management program B (Pb2). TheCPU 61 executes the authentication information acquiring module ML3 and acquires the received authentication information. TheCPU 61 executes the user authentication module ML3 and executes authentication with respect to the management program B (Pb2). Specifically, theCPU 61 searches the user information and determines whether authentication information exists for the management program B (Pb2) in question. In the event that user authentication is successful, theCPU 61 runs the execution authority establishing module ML4. On the other hand, in the event that authentication is not successful, theCPU 61 notifies theclient computer 30 of the authentication failure via the management program B (Pb2). - When the
CPU 61 executes the execution authority establishing module ML4, authority to execute assigned to the user are established, using the program ID. In this embodiment, as in First embodiment, where the program ID of the management program A (Pa2) is received together with authentication information, authority to execute that permit modification of resources in thestorage device 20 are established. - On the other hand, when the management program B (Pb2) is run directly from the
client computer 30, only authentication information is sent to theauthentication computer 60, with no program ID being sent, so there are established authority to execute that allow only reference of resources in thestorage device 20. That is, since the program ID is identifying information that is given to the invoked program by the invoking program, it cannot be utilized in cases where the invoked program is run directly. - The
CPU 61 sends the established authority to execute to the request executing module Mb5 of the management program B (Pb2) via the sending/receiving module ML1. In the management program B (Pb2) there has been prepared an operation definition table that defines the contents of operating processes that can be executed in association with authority to execute. - The
CPU 11 that has received the established authority to execute executes the request executing module Mb5, refers to the operation definition table and determines those operation processes that will be permitted for the established authority to execute, and executes the request input from theclient computer 30. In the event that the management program B (Pb2) has been run directly by theclient computer 30, even if the request input from theclient computer 30 is one to modify a resource in thestorage device 20, since only resource reference operation processes are authorized, the request will not be executed. If on the other hand the management program B (Pb2) has been run via the management program A (Pa2), the requested resource modification process will be executed. - As described hereinabove, according to the computer system of Second embodiment, in addition to the advantages afforded by the computer system (administration computer) pertaining to First embodiment, the fact that an
authentication computer 60 separate from theadministration computer 10 is provided can also reduce the load on theadministration computer 10. That is, since authentication processes for the management programs can be executed in theauthentication computer 60, there is no need to provided theadministration computer 10 with the modules needed for authentication processes, nor is there any need to assign computing resources for executing authentication processes. - Additionally, since user information required for authentication can be managed in consolidated fashion in the
authentication computer 60, management and updating of authentication information can be made easier. - (1) Whereas in
Embodiments storage device 20 could be used selectively in the same manner where three or more the management programs interact. Such a situation could be accommodated, for example, by providing the user management table shown inFIG. 14 .FIG. 14 is an illustration of an exemplary user management table used for establishing authority to execute in the management program B when four management programs interact and execute management of thestorage device 20. - In a case where three or more management programs interact, by determining the route by which a program is run, authority to execute can be established depending on the management program executed prior to execution of the management program B. Also, where time information, i.e. order information can be appended to the program ID, authority to execute can be established depending on the order in which management programs are run prior to execution of the management program B. Specifically, where for example the management program B interacts with external program C, and the management program B has acquired a program ID from another program (Program A, for example), order information, after appending a comma to the end of the program ID by the external program invoking module of the management program Pb, order information is generated by linking the program ID of the management program B. The order information generated in this manner is sent to Program C. Management of the program ID acquired by the management program B is stored in memory in a predetermined field in the management program B; the external program invoking module refers to the field, and in the event that a program ID is present, executes the process mentioned above, or if not present, sends only the program ID of the management program B to Program C. In this case, authority to execute can be established with a higher level of detail, depending on the execution environment of the management program.
- (2) Whereas in
Embodiments FIG. 15 andFIG. 16 .FIG. 15 is an illustration of an exemplary authentication information management table for managing authentication information.FIG. 16 is an illustration of an exemplary program information management table for administering program information. - The authentication information table shown in
FIG. 15 is used to establish authority to execute by means of combinations of user IDs and passwords. The program information management table shown inFIG. 16 is used to define operations executable depending on the route by which a program is run and the authority to execute. For example, in the case of “User” authority to execute, regardless of the route by which a program is run, modification of resources of thestorage device 20 will not be permitted, with only reference to resources being permitted. - On the other hand, where “Administrator” authority to execute have been established, in the event that the management program B has been run via the management program A, modification of resources of the
storage device 20 will be permitted, whereas if the management program B has been run directly, only reference to resources of thestorage device 20 will be permitted. That is, in addition to authority to execute determined on the basis of user ID and password, operations that will ultimately be executable for resources of thestorage device 20 are determined with reference to the route by which management program is run. - (3) Whereas in the embodiments hereinabove, the invoking program executing module that executes the invoking program and the invoked [program] executing module that executes the invoked program are realized by means of a
single CPU 11, there could instead be provided a number of CPUs, with the invoking program executing module and the invoked program executing module being realized respectively by the CPUs. - (4) Whereas in the embodiments hereinabove, the management program (Pb) comprises cross-check information with the program ID (program running route) of the management program A (the invoking program), it would be possible instead to prepare an interface in the management program A on a per-management program basis, with the management program A providing a program ID (program running route) depending on the interface.
- (5) Whereas in Second embodiment, the
authentication computer 60 sends authority to execute established with respect to the management program B (Pb2), it would be possible to make notification of whether execution of a request input from theclient computer 30 is Allowed or Not Allowed, rather than of authority to execute. This has the advantage that there is no need in the management program B (Pb2) for a table that associates authority to execute with executable operation processes. - (6) Whereas in the embodiments hereinabove, there were described examples in which several management programs are installed on a
single administration computer - (7) Whereas in the embodiments hereinabove, there were described examples of an administration computer for a
storage device 20 making up a SAN, but implementation would be similar for NAS (Network Attached Storage). In this case, the management processes and access restrictions described above could be executed by routing through a management port for the NAS. - While the computer, access control method in a computer, and computer system which pertain to the invention have been described hereinabove on the basis of embodiments, the embodiments of the invention set forth herein are intended to aid in understanding of the invention, and should not be construed as limiting. Various modifications and improvements to the invention without departing from the spirit and scope thereof as set forth in the appended claims, and these equivalents will of course be encompassed in the invention.
Claims (8)
1-17. (canceled)
18. A computer for managing a first managed apparatus, the computer comprising a processor that executes programs stored in a memory;
the memory comprises an integrated management program, an apparatus management program for the first managed apparatus, and user management information;
the computer is coupled to the first managed apparatus and is configured to:
receive user authentication information of a first user, and a management request for the first managed apparatus for at least the apparatus management program;
wherein the user management information indicates a first authority and a second authority for the first user, the first authority is an authority that the first user manages the first managed apparatus by using the apparatus management program without the integrated management program, the second authority is an authority that the first user manages the first managed apparatus by using the apparatus management program through the integrated management program;
wherein if the user authentication information and the management request are for the apparatus management program:
the apparatus management program decides whether the first user has an authority to execute the management request based on the first authority of the user management information and the user authentication information, and
the apparatus management program sends the management request to the first managed apparatus if the first authority includes permission to execute the management request;
wherein if the user authentication information and the management request are for the integrated management program:
the integrated management program decides whether the first user has an authority to execute the management request based on the user authentication information and based on the user management information or another user management information for the integrated management program,
the integrated management program internally or externally sends a management request to the apparatus managed program with the user authentication information if the first user is permitted to execute the management request for the integrated management program,
the apparatus management program decides whether the first user has an authority to execute the management request based on the second authority of the user management information and the user authentication information, and
the apparatus management program sends the management request to the first managed apparatus if the second authority includes permission to execute the management request; and
wherein the first authority and the second authority are different.
19. A computer according toclaim 18 ,
wherein the first authority includes permission to refer to a first resource of the first managed apparatus, and the second authority includes permissions to refer and create the first resource of the first managed apparatus.
20. A computer according toclaim 18 , wherein the user authentication information includes an identification of the user.
21. A computer according toclaim 19 , wherein the first managed apparatus is a storage apparatus, and the resource is a volume of the storage apparatus.
22. A computer according toclaim 18 , wherein the computer is further configured to:
receive user authentication information of a first user, and a management request for a second managed apparatus for at least the apparatus management program; and
wherein if the user authentication information and the management request are for the apparatus management program, then the apparatus management program sends the management request to the second managed apparatus if the first authority includes permission to execute the management request, and if the user authentication information and the management request are for the integrated management program, then the apparatus management program sends the management request to the second managed apparatus if the second authority includes permission to execute the management request.
23. A management computer coupled to a first managed apparatus over a computer network, the management computer comprising a processor that executes programs stored in a memory, the management computer is configured to:
receive a management request and user authentication information at the management computer from a client computer for utilization of the first managed apparatus through at least one of an apparatus management program at the management computer or an integrated management program stored at the management computer;
determine a first authority and a second authority for a first user at the client computer, based on user management information stored at the management computer, wherein the first authority is an authority through which the first user manages the first managed apparatus by using the apparatus management program without the integrated management program, and the second authority is an authority through which the first user manages the first managed apparatus by using the apparatus management program through the integrated management program;
wherein if the user authentication information and the management request are for utilization of the first managed apparatus through the apparatus management program, then:
the apparatus management program decides whether the first user has an authority to execute the management request based on the first authority of the user management information and the user authentication information, and
the apparatus management program sends the management request to the first managed apparatus if the first authority includes permission to execute the management request;
wherein if the user authentication information and the management request are for utilization of the first managed apparatus through the integrated management program, then the integrated management program:
decides whether the first user has an authority to execute the management request based on the user authentication information and based on the user management information or another user management information for the integrated management program,
internally or externally sends a management request to the apparatus managed program with the user authentication information if the first user permitted to execute the management request for the integrated management program,
decides whether the first user has an authority to execute the management request based on the second authority of the user management information and the user authentication information, and
sends the management request to the first managed apparatus if the second authority includes permission to execute the management request; and
wherein the first authority and the second authority are different.
24. A management computer according toclaim 23 , further configured to:
receive a management request and user authentication information at the management computer from the client computer for utilization of a second managed apparatus through at least one of an apparatus management program at the management computer or an integrated management program stored at the management computer;
wherein if the user authentication information and the management request are for the apparatus management program, then the apparatus management program sends the management request to the second managed apparatus if the first authority includes permission to execute the management request, and if the user authentication information and the management request are for the integrated management program, then the apparatus management program sends the management request to the second managed apparatus if the second authority includes permission to execute the management request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US13/179,715US20110271336A1 (en) | 2004-10-29 | 2011-07-11 | Computer and Access Control Method in a Computer |
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2004315583AJP4532237B2 (en) | 2004-10-29 | 2004-10-29 | Computer and access control method in computer |
| JP2004-315583 | 2004-10-29 | ||
| US11/024,123US7461135B2 (en) | 2004-10-29 | 2004-12-27 | Computer and access control method in a computer |
| US12/273,612US7984133B2 (en) | 2004-10-29 | 2008-11-19 | Computer and access control method in a computer |
| US13/179,715US20110271336A1 (en) | 2004-10-29 | 2011-07-11 | Computer and Access Control Method in a Computer |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US12/273,612ContinuationUS7984133B2 (en) | 2004-10-29 | 2008-11-19 | Computer and access control method in a computer |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| US20110271336A1true US20110271336A1 (en) | 2011-11-03 |
Family
ID=36317815
Family Applications (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US11/024,123Expired - Fee RelatedUS7461135B2 (en) | 2004-10-29 | 2004-12-27 | Computer and access control method in a computer |
| US12/273,612Expired - Fee RelatedUS7984133B2 (en) | 2004-10-29 | 2008-11-19 | Computer and access control method in a computer |
| US13/179,715AbandonedUS20110271336A1 (en) | 2004-10-29 | 2011-07-11 | Computer and Access Control Method in a Computer |
Family Applications Before (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US11/024,123Expired - Fee RelatedUS7461135B2 (en) | 2004-10-29 | 2004-12-27 | Computer and access control method in a computer |
| US12/273,612Expired - Fee RelatedUS7984133B2 (en) | 2004-10-29 | 2008-11-19 | Computer and access control method in a computer |
Country Status (2)
| Country | Link |
|---|---|
| US (3) | US7461135B2 (en) |
| JP (1) | JP4532237B2 (en) |
Families Citing this family (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060265759A1 (en)* | 2005-05-19 | 2006-11-23 | Microsoft Corporation | Systems and methods for identifying principals to control access to computing resources |
| JP4720303B2 (en)* | 2005-06-08 | 2011-07-13 | 株式会社日立製作所 | Configuration management method for computer system including storage system |
| JP4615474B2 (en)* | 2006-04-07 | 2011-01-19 | 株式会社エヌ・ティ・ティ・ドコモ | Communication terminal, user data movement system, and user data movement method |
| JP4977536B2 (en)* | 2006-08-11 | 2012-07-18 | 株式会社リコー | Information processing apparatus, information acquisition method, and information acquisition program |
| US7712143B2 (en)* | 2006-09-27 | 2010-05-04 | Blue Ridge Networks, Inc. | Trusted enclave for a computer system |
| JP2008097214A (en)* | 2006-10-10 | 2008-04-24 | Hitachi Ltd | Access right management method, management computer, and management program |
| US7809955B2 (en)* | 2006-10-17 | 2010-10-05 | Blue Ridge Networks, Inc. | Trustable communities for a computer system |
| JP4909756B2 (en)* | 2007-02-09 | 2012-04-04 | 株式会社リコー | Information processing apparatus, external application utilization method, and program |
| US20090271547A1 (en)* | 2008-04-28 | 2009-10-29 | Anuradha Goel | Target Discovery and Virtual Device Access Control based on Username |
| KR101041115B1 (en) | 2008-09-02 | 2011-06-13 | 주식회사 신한은행 | Method and system of using website by authority control and recording media for it |
| KR101056423B1 (en)* | 2008-09-02 | 2011-08-11 | 주식회사 신한은행 | Program Execution Management Method and Record Media Using Logged-In Account Control |
| JP4743297B2 (en)* | 2009-03-16 | 2011-08-10 | コニカミノルタビジネステクノロジーズ株式会社 | Image forming apparatus, function expansion method, and user authentication system |
| JP5463112B2 (en)* | 2009-09-24 | 2014-04-09 | Necパーソナルコンピュータ株式会社 | Information processing apparatus, file access control method, program, and computer-readable recording medium |
| JP2011090550A (en)* | 2009-10-23 | 2011-05-06 | Hitachi Ltd | Computer system and program recording medium |
| US8966194B2 (en)* | 2009-10-29 | 2015-02-24 | Cleversafe, Inc. | Processing a write request in a dispersed storage network |
| US20110154015A1 (en)* | 2009-12-21 | 2011-06-23 | Tareq Mahmud Rahman | Method For Segmenting A Data File, Storing The File In A Separate Location, And Recreating The File |
| US20190095101A1 (en) | 2010-08-02 | 2019-03-28 | International Business Machines Corporation | Authenticating a credential in a dispersed storage network |
| KR101748318B1 (en)* | 2010-11-22 | 2017-06-27 | 삼성전자 주식회사 | Method and apparatus for executing application of mobile terminal |
| JP6123350B2 (en)* | 2013-02-26 | 2017-05-10 | 日本電気株式会社 | Verification device, verification method, and program |
| JP6322967B2 (en)* | 2013-11-19 | 2018-05-16 | 日本電気株式会社 | Data protection apparatus, method, and program |
| JP6801267B2 (en)* | 2016-07-04 | 2020-12-16 | 富士通株式会社 | Evaluation program, evaluation method, evaluation device and information processing device |
| CN109558751A (en)* | 2018-11-30 | 2019-04-02 | 深圳市盟天科技有限公司 | A kind of access method of application program, device, server and storage medium |
| CN110414230B (en)* | 2019-06-21 | 2022-04-08 | 腾讯科技(深圳)有限公司 | Virus checking and killing method and device, computer equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020111948A1 (en)* | 1999-10-18 | 2002-08-15 | Nixon Mark J. | Interconnected zones within a process control system |
| US20030112977A1 (en)* | 2001-12-18 | 2003-06-19 | Dipankar Ray | Communicating data securely within a mobile communications network |
| US6820168B2 (en)* | 2001-01-25 | 2004-11-16 | Hitachi, Ltd. | Storage system and virtual private volume control method |
| US20050061878A1 (en)* | 2003-09-23 | 2005-03-24 | Ronald Barenburg | Method for improving security and enhancing information storage capability, the system and apparatus for producing the method, and products produced by the system and apparatus using the method |
| US20050071630A1 (en)* | 2003-08-15 | 2005-03-31 | Imcentric, Inc. | Processing apparatus for monitoring and renewing digital certificates |
| US20050257274A1 (en)* | 2004-04-26 | 2005-11-17 | Kenta Shiga | Storage system, computer system, and method of authorizing an initiator in the storage system or the computer system |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5414852A (en) | 1992-10-30 | 1995-05-09 | International Business Machines Corporation | Method for protecting data in a computer system |
| JP4651230B2 (en)* | 2001-07-13 | 2011-03-16 | 株式会社日立製作所 | Storage system and access control method to logical unit |
| JP2002222061A (en)* | 2001-01-25 | 2002-08-09 | Hitachi Ltd | Method of setting storage area, storage device, and program storage medium |
| JP2003330622A (en)* | 2002-03-08 | 2003-11-21 | Hitachi Ltd | Access management server, disk array system, and access management method therefor |
| US20030172069A1 (en) | 2002-03-08 | 2003-09-11 | Yasufumi Uchiyama | Access management server, disk array system, and access management method thereof |
| JP4240929B2 (en) | 2002-07-10 | 2009-03-18 | 日本電気株式会社 | Access control method in file management system |
| JP4093811B2 (en) | 2002-07-24 | 2008-06-04 | 富士通株式会社 | User access right control apparatus and method |
| JP4361752B2 (en)* | 2003-03-31 | 2009-11-11 | 株式会社富士通ソーシアルサイエンスラボラトリ | Access control method |
- 2004
- 2004-10-29JPJP2004315583Apatent/JP4532237B2/ennot_activeExpired - Fee Related
- 2004-12-27USUS11/024,123patent/US7461135B2/ennot_activeExpired - Fee Related
- 2008
- 2008-11-19USUS12/273,612patent/US7984133B2/ennot_activeExpired - Fee Related
- 2011
- 2011-07-11USUS13/179,715patent/US20110271336A1/ennot_activeAbandoned
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020111948A1 (en)* | 1999-10-18 | 2002-08-15 | Nixon Mark J. | Interconnected zones within a process control system |
| US6820168B2 (en)* | 2001-01-25 | 2004-11-16 | Hitachi, Ltd. | Storage system and virtual private volume control method |
| US20030112977A1 (en)* | 2001-12-18 | 2003-06-19 | Dipankar Ray | Communicating data securely within a mobile communications network |
| US20050071630A1 (en)* | 2003-08-15 | 2005-03-31 | Imcentric, Inc. | Processing apparatus for monitoring and renewing digital certificates |
| US20050061878A1 (en)* | 2003-09-23 | 2005-03-24 | Ronald Barenburg | Method for improving security and enhancing information storage capability, the system and apparatus for producing the method, and products produced by the system and apparatus using the method |
| US20050257274A1 (en)* | 2004-04-26 | 2005-11-17 | Kenta Shiga | Storage system, computer system, and method of authorizing an initiator in the storage system or the computer system |
Also Published As
| Publication number | Publication date |
|---|---|
| JP4532237B2 (en) | 2010-08-25 |
| US7984133B2 (en) | 2011-07-19 |
| JP2006127205A (en) | 2006-05-18 |
| US7461135B2 (en) | 2008-12-02 |
| US20090077250A1 (en) | 2009-03-19 |
| US20060101399A1 (en) | 2006-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7984133B2 (en) | Computer and access control method in a computer | |
| US8966281B1 (en) | Systems and methods for accessing storage or network based replicas of encryped volumes with no additional key management | |
| US8261068B1 (en) | Systems and methods for selective encryption of operating system metadata for host-based encryption of data at rest on a logical unit | |
| US7793101B2 (en) | Verifiable virtualized storage port assignments for virtual machines | |
| US6493825B1 (en) | Authentication of a host processor requesting service in a data processing network | |
| US6295575B1 (en) | Configuring vectors of logical storage units for data storage partitioning and sharing | |
| US8185961B2 (en) | Network system, method for controlling access to storage device, management server, storage device, log-in control method, network boot system, and method of accessing individual storage unit | |
| US8166314B1 (en) | Selective I/O to logical unit when encrypted, but key is not available or when encryption status is unknown | |
| US6799255B1 (en) | Storage mapping and partitioning among multiple host processors | |
| US6421711B1 (en) | Virtual ports for data transferring of a data storage system | |
| US7620984B2 (en) | Method of managing computer system | |
| US7840730B2 (en) | Cluster shared volumes | |
| US7039662B2 (en) | Method and apparatus of media management on disk-subsystem | |
| CN103299312B (en) | Data storage system and control method thereof | |
| US7380094B2 (en) | Storage system and storage management system | |
| WO2008063417A2 (en) | Resource level role based access control for storage management | |
| US8713307B2 (en) | Computer system and volume migration control method using the same | |
| JP4863905B2 (en) | Storage usage exclusion method | |
| KR101056423B1 (en) | Program Execution Management Method and Record Media Using Logged-In Account Control | |
| CN101137993A (en) | Network system, access control method for storage device, management server, storage device, login control method, network guidance system, and unit storage unit access method | |
| JP7596414B2 (en) | Multi-tenant management system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| STCB | Information on status: application discontinuation | Free format text:ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |