1. Field of Invention
This invention relates to methods and apparatus for implementing an extensible grouping mechanism for security authorization, e.g., for use in computer systems.
2. Related Art
In the administration of computer systems, it is often desirable to organize users into one or more groups so that privileges may be given to groups of users via the group structure, rather than individually. For example, a system administrator may confer a first set of privileges to members of a first group, a second set of privileges to a second group, and so on. In one specific example, a system administrator may allow members of a first group to have full access to a set of files, while members of a second group have read-only access to those files, and a third group may have no access privileges to the files. Such a group structure can allow for more efficient management of privileges, e.g., when an individual user changes status in an organization and therefore is entitled to a different set of privileges, when privileges for a particular group change, or when additional files or other objects are created or otherwise newly introduced to the system. In these cases, the group structure can provide a convenient mechanism by which user privileges or other security features can be readily established or modified.
Security grouping arrangements are typically managed by one or more systems administrators of the computer system to reduce the likelihood of security breaches that may occur, for example, if a wide population of users were allowed to adjust group members, privileges assigned to various groups, etc. The result of such centralized control, however, is that many software products in the system cannot benefit from the system administrator-controlled grouping arrangement. That is, many software products in the system may access or otherwise use files or other objects whose access is not controlled by a system administrator, e.g., because the importance of such files is not sufficiently high to warrant the attention of a system administrator. As a result, these software products are provided with no means by which to control actions that are performed with respect to the objects by various users in the system.