In one embodiment, a system for managing a virtualization environment includes a set of host machines, each of which includes a hypervisor, virtual machines, and a virtual machine controller, and a data migration system configured to identify one or more existing storage items stored at one or more existing File Server Virtual Machines (FSVMs) of an existing virtualized file server (VFS). For each of the existing storage items, the data migration system is configured to identify a new FSVMs of a new VFS based on the existing FSVM, send a representation of the storage item from the existing FSVM to the new FSVM, such that representations of storage items are sent between different pairs of FSVMs in parallel, and store a new storage item at the new FSVM, such that the new storage item is based on the representation of the existing storage item received by the new FSVM.

Nested namespaces for selective content sharing.

In one embodiment, a method comprises receiving a request for a particular user identification (ID) to perform a particular operation on a particular data object. An entitlement cache associates each operation that the particular user ID is entitled to perform with a first encoding of a tuple of a plurality of tuples. An object mapping cache associates each tuple of the plurality of tuples with a second encoding of each tuple of the plurality of tuples. An object mapping is used to determine a first tuple. The object mapping cache is used to determine a first vector of one of more left values based on the first tuple. The entitlement cache is used to determine a second vector of one or more value pairs. In response to identifying a match between the first vector and the second vector, the particular user ID is granted access to the particular data object.

An embodiment for media transit management is provided. The embodiment may include receiving one or more images and one or more pre-set configuration criteria regarding management of an image file. The embodiment may also include monitoring for an attempted sharing of the image file. The embodiment may further include in response to determining each object in the one or more images matches each object in the image file, identifying at least one other user who is attempting to share the image file. The embodiment may also include in response to determining the at least one other user is not authorized to share the image file, analyzing the one or more pre-set configuration criteria correlated with the image file. The embodiment may further include in response to determining the image file does not meet the one or more pre-set configuration criteria, prompting the participating user to respond to a notification.

An example method of enforcing granular access policy for embedded artifacts comprises: detecting an association of an embedded artifact with a resource container; associating the embedded artifact with at least a subset of an access control policy associated with the resource container; and responsive to receiving an access request to access the embedded artifact, applying the access control policy associated with the resource container for determining whether the access request is grantable.

In one embodiment, a system for managing communication connections in a virtualization environment includes a plurality of host machines implementing a virtualization environment, wherein each of the host machines includes a hypervisor, at least one user virtual machine (user VM), and a distributed file server that includes file server virtual machines (FSVMs) and associated local storage devices. Each FSVM and associated local storage device are local to a corresponding one of the host machines, and the FSVMs conduct I/O transactions with their associated local storage devices based on I/O requests received from the user VMs. Each of the user VMs on each host machine sends each of its respective I/O requests to an FSVM that is selected by one or more of the FSVMs for each I/O request based on a lookup table that maps a storage item referenced by the I/O request to the selected one of the FSVMs.

A system for determining access for a hypercube includes an interface configured to receive a request for access from a user to data in a location in a hypercube; receive a tree structure with subcubes of the hypercube arranged in a hierarchical structure; and receive a user permission list, wherein an element of the user permission list comprises a permission, a root node, and a set of pruned nodes. The system also includes a processor configured to determine a user permission associated with the data in the location of the hypercube using the user permission list; and provide an indication of the user permission.

A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree, wherein the path is based on the message, wherein deriving the validator using the path through the key tree comprises computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on at least a portion of the message and a prior key. The first device then sends the validator to the second device.

Generating and associating decentralized identifiers (DIDs) for a group of related devices. First, a device group DID is generated by generating a private key of the device group DID based on a seed and a first hardware identifier of at least one of the devices in the group. The device group DID is associated with the group of related devices. For each of the group of the related devices, a device DID is derived by generating a private key of the device DID based on a seed, a second hardware identifier of the corresponding device, and the device group DID. The device DID is then associated with the corresponding device. Further, a scope of permission is granted to the device group DID, and each device DID in the group is granted a subset of the scope of permission.

A security level tagging process to enable a user to associate a security level descriptor with a file, or a namespace directory where files and subdirectories inherit the security level descriptor from a parent directory. A parser can be used to automatically set a security level descriptor based on the contents of the file and/or attributes of files, or an administrator can associate a security level to a storage tier in the file system so that files are placed on the storage tiers with the matching security level as the file security level descriptor. The placement of the file on a storage tier depends on the data security level descriptor of the file and the security level of the storage so that files are placed on tiers where security level associated with the tier is greater than or equal to data security level of the file. Files can be migrated among storage tiers as their security levels may change.