The present invention relates generally to limiting management operation of a storage network element. More particularly the present invention relates to a method, apparatus and computer program for limiting management operation of a storage network element by determining whether the storage network element is related to a host computer and whether the management operation is restricted.
In a computer system, including storage systems, there may exist a situation where changes to the configurations of the storage systems or any other storage network element, such as network switches, should be prohibited during certain periods of time. For example, in a stock market exchange or a foreign exchange market, changes in the configurations of the storage systems or the Fibre Channel networks are conducted while the market is closed so as not to improperly effect normal operation of the exchanges.
Storage management software includes means for giving a privilege of changing configurations of the storage network elements to user groups or each user of each user group. Examples of such means includes User level Access privilege and Function/Object level access limitation.
User level Access privilege provides means wherein the storage management operation from an unauthorized user is rejected. Each user is authenticated by a password. Alternatively, there may be another case that only one user is permitted to perform all storage management operations including configuration changes and the other users can only view the system configuration but cannot make configuration changes.
Function/Object level access limitation provides means wherein the operations that each user group can perform are limited. For instance, the management software can provide different types of privileges to, for example, a “server administrator group” as opposed to a “storage administrator group”. According to this means, for example, the server administrator group may not be permitted to change the configurations of storage systems or storage network elements, whereas the storage administration group may have such privileges. These privileges could, for example, include volume creation or Fibre Channel switch settings. Access to some storage systems or network switches may also be limited according to authorized user groups.
However, the above means do not disclose techniques for restricting management operations according to host computers and permitted operations.
Other technology has also been proposed. For example, U.S. Patent Application Publication No. 2002/0138691 A1 (Yamamoto) discloses a method and system for managing access to storage resources according to access time. Particularly Yamamoto discloses that the storage system does not accept I/O operation from the host computers during a certain period of time. However, Yamamoto does not disclose that the storage system or the storage management computer can prohibit management operations from being conducted.
“Storage Security-March 2004: What Users Should Demand of Vendors”, by J. Oltsik, Enterprise Strategy Group, March 2004 (Oltsik) suggests that management operations could be limited based on time. However, Oltsik does not disclose any details as to how such could be accomplished.
Each of the technologies described above suffers from various disadvantages particularly that they can not limit management operations of a storage network element according to whether the storage network element is related to a host computer and whether the management operation is restricted. Therefore, technology which overcomes these disadvantages is needed.