Enterprises, such as corporations and other organizations, typically define policies for purposes of enterprise management. Enterprise management refers to the identification and management of users and network-based resources, such as computers. Typically, policies designate whether access to a resource is entitled or privileged. Privileged access to the resource must be justified in some way, typically based on user role, responsibility, or business need. The enterprise policies define boundaries or scope of privileged and entitled access permissions.
Such policies are typically a combination of “business/security policies” and “systems policies”. Business/security policies (also called “published policies”) define general guidelines for access to network-based resources, including secure access, and restrictions on use. Systems policies (also called “configured policies”) present the mechanism for implementing the business policies into enforceable system and user configurations. Available platforms provide architectures to implement policies. For example, WINDOWS® ACTIVE DIRECTORY® from MICROSOFT CORPORATION implements system policies using Group Policy Objects (GPOs).
Using conventional approaches, policies can be conveniently configured in one-to-all, one-to-many, and one-to-specific arrangements with respect to users and resources. In such approaches, policy stores store the various enterprise policies. In a distributed enterprise, each domain or group of users/resources, typically has its own instance of the policies, with which the domain uses to enforce the enterprise guidelines.
Unfortunately, conventional approaches to policy implementation are not very flexible or responsive to growth and change of policies within the enterprise. Generally, securing and otherwise managing access to the network-based resources involves making and managing an increasing number of policies. When managing multiple distributed groups of resources and users, such as multiple domains in an ACTIVE DIRECTORY®, multiple policy stores often exist, which can cause conflicts in policy naming and scope, as well as inconsistencies among implementation settings. In addition, in the case of ACTIVE DIRETORY®, policies are replicated between domain controllers, rather than having one centralized policy store. If the replicated policies are not diligently maintained, user access can become inconsistent, thereby undermining the intent of the published policies.