The present invention relates to a storage network system including a server (computer) and a storage device, and particularly to control on an access from the server to the storage device.
Rules such as HIPPA (Health Insurance Portability and Accountability Act) Privacy Rule (U.S.A), HIPPA Security Rule (U.S.A), Act for Protection of Computer-Processed Personal Data (in Japan), which impose unauthorized access prevention/privacy protection on electronic information have recently been enforced one after the other in respective countries starting from U.S.A. A customer's demand for obtaining of conformity with such rules related to information security is running high in a storage market.
Meanwhile, since the development of an information technology for the information security is extremely fast, the highest information security countermeasures taken at a given time do not last for a long time as the highest one even for future. It has been pointed out that it is important that in a server and a storage device, log information related to access are collected continuously and security is ensured while monitoring the access using the log information. As for security assurance, for example, the function of preventing external penetration by hackers was in the mainstream up to now. However, the need for the function of preventing internal invasions inclusive a system manager in addition to the above external penetration has also been pointed out in recent years. In terms of consideration for avoiding a difficulty in management work, there is a tendency to give large access rights such as a remote copy that copies data between storage devices, etc. to the system manager. The system manager per se is placed in such a situation that the system manager can result in a security hole (weak point of security).
In a related art (e.g., U.S. Pat. No. 6,484,173 (seventh section and thirteenth to fifteenth sections), each of port controllers of a storage device determines, based on execution-allowed access control information (requestor ID (ID of access request issuance origin), access type, device ID) registered inside the device, whether an access request received by the corresponding port should be granted or permitted. The requestor ID includes a hardware ID set in each server device unit and a group ID set in each user/group unit.