For purposes of providing security in a network system, various methods may be used to restrict the access of a network administrator (or other users of the network system) to a particular network resource (or network resources) in the network system. Network resources in a network system include, for example, storage appliances (e.g., filer products which are commercially available from NETWORK APPLIANCE, INCORPORATED or other types of file servers or computing devices used for data storage), network caches (e.g., NetCache® products which are commercially available from NETWORK APPLIANCE, INCORPORATED), or aggregates, volumes, or qtrees in a storage appliance, or other suitable types of network resources that are known to those skilled in the art. Additional details on examples of aggregates, volumes, and qtrees are discussed in, for example, commonly-assigned U.S. patent application Ser. No. 10/836,817. An aggregate is formed by one or more groups of disks, such as RAID groups, for storing data. A volume will also store data, and is analogous to a file within an aggregate. A volume consumes storage space that is physically smaller than (or equal to) the size of the storage space consumed by the aggregate. A qtree is a data management entity for also storing data in a volume and is smaller in storage size than a volume.
As known to those skilled in the art, role based access control (RBAC) methods may be used to permit and prevent a user to access a particular network resource(s) based upon a role of the user. One example of a product that use RBAC to control the access of users to network resources is the DataFabric Manager®, which is a network management product that is commercially available from NETWORK APPLIANCE, INCORPORATED. Other RBAC based products are commercially available from various vendors. As an example, a user may be assigned the role of “global administrator” or “resource group administrator”. A global administrator is permitted to access and to modify configuration settings (i.e., has an access permission) in all network resources (e.g., storage appliances) that are known or/and are discovered in the network system by a network management product. This type of broad access permission for the global administrator is also known as a “global permission”. An example of a configuration setting may be a domain name server (DNS) name for a storage appliance in the network system. In contrast, a resource group administrator has an access permission to only a subset of the network resources (e.g., storage appliances) that are known or/and are discovered in the network system by a network management product. For example, a resource group administrator may have access permission in storage appliances that are located in a first location and may not have access permission in storage appliances that are located in a second location, while a global administrator has access permission in storage appliances in both the first and second locations. This type of a more limited access permission (as compared to the “global permission”) for the resource group administrator is known as a “resource group level permission”.
The set of network resources that provide access permissions to a global administrator can be represented as global objects that are grouped in a user-created group of objects (i.e., “global group”). These global objects in the global group are data structures that represent the network resources which can be accessed by the global administrator. The global administrator can also add new global objects to the global group, where a new global object represents a newly-discovered network resource that has been discovered in the network system by a network management product. The global administrator has the above-mentioned “global permission” which permits the global administrator to access to these global objects in order to change the configuration settings of network resources that correspond to these global objects. The global permission also permits the global administrator to add the above-discussed new global objects to the global group.
The network resources that provide an access ability to a resource group administrator can be represented as managed objects that are grouped in a user-created group of objects (i.e., “resource group”). The managed objects are data structures that represent the network resources (e.g., storage appliances) that provide access permissions to a resource group administrator. A resource group can attach a global object in the global group to a particular resource group based on a selected criteria such as, for example, the physical location, ownership, and/or configuration of the network resource that is represented by the global object. When the global object is attached to the particular resource group, the global object also becomes a managed object in the particular resource group for access by the resource group administrator. When the resource group administrator attaches a global object to his/her resource group (so that the global object is also now a managed object in his/her resource group), that resource group administrator will be able to change the configuration settings (e.g., domain name server name) of that managed object. These changed configuration settings are then pushed (i.e., transmitted) by a network management product to the network resource that is associated with that managed object, and these changed configuration settings will be implemented in that network resource.
The resource group administrator has the above-mentioned “resource group level permission” which permits the resource group administrator to access to the managed objects in a resource group(s) if the resource group administrator owns (i.e., has access permissions to) the resource group(s). An access operation that is allowed for a resource group administrator include, but are not limited to, for example, the ability for a resource group administrator to change configuration settings (e.g., domain name server names or other parameters) in each network resource in the resource group.
In previous methods, a resource group administrator has access permissions on managed objects in his/her resource group(s). Such access permissions to the resource group permit the resource group administrator to perform particular operations such as, for example, adding managed objects to their resource group(s) (by attaching a global object to his/her resource group(s)), and editing configurations that are attached to his/her resource group. For purposes of network security, the resource group administrator does not have an access permission to managed objects in a resource group that does not belong to the resource group administrator.
However, allowing a resource group administrator to add managed objects to his/her resource group introduces the ability of the resource group administrator to add (i.e., attach) a global object of a network resource (e.g., storage appliance), in which he/she does not have any access permissions over, to his/her resource group. As a result of adding that global object to his/her resource group, that global object also becomes a managed object in his/her resource group. As a result, the resource group administrator improperly gains the ability to perform all of the access operations on the network resource that is represented by that managed object.
On the other hand, suppose that a resource group administrator has a legitimate access permission to a particular network resource (e.g., storage appliance). If that resource group administrator is not permitted to add a global object for that particular network resource as a managed object into his/her resource group(s), then the resource group administrator is subject to inconvenience and even be hindered in the work tasks of managing his/her resource group(s) because he/she will not be able to access that particular network resource. In order for the resource group administrator to add that global object as a managed object in his/her particular resource group(s), that resource group administrator is inconveniently required to request the global administrator to add that global object as a managed object in the particular resource group(s). Therefore, there is a need for a new approach that will permit a resource group administrator (with a “resource group level permission” but without a “global permission”) to add managed objects to his/her resource group without requiring a global permission.
As also discussed below in further detail, there is also a need for a new approach that will permit a resource group administrator (with a resource group level permission but without a global permission) to edit the configurations that are attached to his/her resource group(s) without requiring a global permission.