With the omnipresence of the Internet and broadband technology, enterprises can have employees, customers, and assets distributed across the entire globe. In addition, the employees, customers, and assets access data or information of the enterprises via enterprise-defined directories, which are accessible throughout a logical and global enterprise network.
To ensure proper security access for each employ, customer, or asset that attempts to connect to the enterprise network and appropriate information in the directories, a variety of Access Control Lists (ACLs) are often deployed.
Conventional directory deployment scenarios have far too many Access Control List (ACL) attribute values that are defined on container objects within the directory. For example, a Role-Based Access Control (RBAC) configuration can have approximately 300 ACL attribute values that are populated on a single directory container. Evaluating these access rights entails initially reading the ACL attributes from a tree root until a desired target entry is reached.
Based on an authenticated identity for a requesting user (employee or customer) or asset (automated program attempting to access the directory) there are often security equivalent list, which are generated. An access rights buffer holds the actual rights on a target directory entry based on: a security equivalence vector (SEV) list, entry rights, all attribute rights and specific attribute rights. In a typical search operation, one has to create a rights buffer for every entry which matches the search filter, which is being used. Access evaluation is done in two-passes. The first pass determines that an authenticated identity has browse rights on the directory entry, and compares rights on the search filter predicates. The second pass determines if the authenticated identity has read rights on attributes that are being requested from a search attribute list. ACLs are read (from a partition root to the target entry) and then converted into a rights buffer for every target entry (based on the SEV list and the requested attributes).
In a specific customer scenario, with 18K objects below a container object of a directory and 300 ACL attributes on the container (and which is not unusual), a sub tree search on the container alone can take 17 seconds (as it has to read 5.4 million plus ACLs and create Rights buffers along the way).
In an era where results and access are expected nearly instantaneously 17 seconds can seem like an eternity and can substantial erode customer usability and correspondingly and enterprise's business reputation. Furthermore, the processing time can and often will be much longer in many other scenarios for larger directory installations associated with larger enterprises. So, the problem can be heightened to a point where customers leave and enterprise and seek directory and/or information services elsewhere.
Thus, it is advantageous to provide improved techniques for enforcing access rights during directory access are desirable.