It is often the case with access rights or authorization determinations that certain aspects of the determination are likely to be repeated. When nothing changes from determination to determination, and two determinations are made exactly the same, resources are wasted because result(s) of the first determination could be re-used. This is especially true when access decisions are computationally expensive. Thus, it would be desirable to in some fashion re-use computations that have already been made, so that static access policy evaluations are not repeated, thereby making a system more efficient, freeing up computer resources for other tasks, and generally increasing performance.
It would also be advantageous to re-use decision-making in connection with dynamic data and policy evaluation algorithms. For example, it is often desirable to grant access privileges to applications, services, and various objects based upon dynamic factors i.e., based upon factors that may change over time. Within an organization, for example, a user context might change if a user is promoted or otherwise given new or different privileges. Similarly, the client context can change too if hardware and/or software on the machine is altered, which could happen, for instance, if an administrator or other machine in an associated computer system changes a characteristic of the client. Thus, it is possible to specify access policy and data based upon dynamic factors, such as client operation parameter values, client attributes for use in connection with an access policy, wherein the access policy may also be specified according to dynamic factors. Relative to the counterparts of systems where authorization policies are determined in relation to dynamic factors i.e., systems using static data and static policy, dynamic authorization systems have much greater flexibility in implementation. However, dynamic authorization systems make it more difficult to cache and reuse the results of an access check that may involve both static and dynamic policy evaluations, since the dynamic policy may need to be reevaluated for every access check.
For example, a system and methods for providing dynamic authorization in a computer system via standard programming objects are disclosed in commonly assigned copending U.S. patent application Ser. No. 09/849,093, filed May 4, 2001. In one embodiment, the system of U.S. patent application Ser. No. 09/849,093 supplements the APIs and data structures used for staticly determined authorization policies. According to a typical access check procedure, an application registers itself for use of the dynamic group and dynamic access check routines that will supplement the regular access check APIs and data structures. The regular access check APIs and data structures are correspondingly altered to accommodate and utilize the dynamic functionality of the dynamic routines. Upon a request from a user or a machine, the client context is determined based upon static and dynamic data i.e., the client context may be computed in relation to dynamic factors. For instance, the groups to which the requestor belongs may be a dynamic factor, and may be determinative as to whether the requestor has access vis-à-vis a dynamic or static authorization policy. According to a routine that determines the requestor's group affiliation according to static factors, the client context is then updated with dynamically computed groups according to the dynamic group routine. If there is dynamic authorization policy, it can be stored in a specialized dynamic Access Control Entry (ACE) structure that has an identifier indicating its dynamic nature. By way of the access check APIs used for static ACEs, augmented by dynamic functionality, if a match is made between information contained in the client context and a dynamic ACE, a dynamic access check routine tailored to the application is called whereby the authorization policy is determined in relation to dynamic data. This information is returned to supplement static access determination results and permission for the requested access may then be denied or granted in accordance with the results.
As mentioned above, however, performance improvement is possible when the same policy computation is repeated. Given that many access checks involve the same user accessing multiple resources protected by the same authorization policy, it is noted that a redundant policy computation may be performed for these access checks. Consequently, it would be desirable to cache a determination as to the static maximum allowed access that may be granted for a given access inquiry, whereby assuming a particular access meets some or all of the privileges contained in the static maximum allowed access, an actual and full-blown dynamic determination need not be performed, thus resulting in substantial savings of computer resources.