Security for data processing systems is a continuing significant issue. Financial, legal, medical and governmental transactions, to name only a few, are conducted using computer databases and it is imperative that the data, most of which is confidential, be protected. While much effort has been made to protect against breaches from the outside, attention must also be paid to internal security. In particular, within an organization, most personnel only require access to only limited portions of the stored data.
A storage system may include one or more storage servers, such as the International Business Machines (IBM) Enterprise Storage Server® (ESS) Model 800, to which are attached one or more host devices (FIG. 1). The ESS 800 is sufficiently versatile as to be simultaneously attachable to a variety of different host devices utilizing a variety of operating systems. The host devices may include such servers as the IBM AS/400®, the IBM RS/6000® and the IBM S/390® utilizing such operating systems as UNIX®, Windows NT®, Novel® NetWare, among others. Further, the host devices may attach to the storage server through such interfaces as SCSI, ESCON®, FICON™ and Fiber Channel. The ESS 800 server includes two clusters, each having a RISC processor, cache memory and a RAID disk array, as well as appropriate host and network adapters.
Heretofore, system security included a user ID and an associated password. Each storage server kept a separate user database and users can generally execute any commands and access any IP address. Thus, the present system does not provide means for limiting a user's access to a defined set of IP address ranges or limiting the user to executing a defined set of commands. As a consequence, the present system does not provide means for grouping storage server resources around user IDs and exposes each user to all resources, not just those to which the user needs access.