This invention relates generally to controlling access to resources such as the Internet, and more specifically to a distributed policy model for controlling such access.
The networking of computers and other resources has become increasingly complicated. Within a large corporation, for example, there may be a number of different intranets for internal access to resources, as well as a number of different extranets for external access to internal resources. Different intranets and extranets may have different levels of access to their resources, and different resources may themselves have different access permissions. Access to and from the Internet may also be governed differently within a complex networking environment.
Resources typically are network elements, such as servers, clients, printers, and the like. The network elements are generally referred to as nodes. The setting of access policy for resources as is described herein is with respect to governing the behavior of users and client computers with respect to the resources. For example, access policy can relate to managing how users access servers on the internet. Therefore, as used herein, resource access means access to one or more resources by users and client computers, as identified by networking addresses, such as Internet Protocol (IP) addresses. Controlling resource access means governing how the users can access these resources. For example, a user may only be allowed to access certain web sites on the Internet, be allowed to access only certain servers, be allowed to only print to certain network printers, and so on.
There are two traditional models for setting access policy for resources. First, there is a one-size-fits-all approach, in which all resources are governed by the same access policy. This approach does not function well in a complex networking environment, however. Different resources may have different access needs, which are not accommodated by a policy that is the same for all resources or for all users of these resources. This approach is advantageous for the network administrator, who can easily administer a single policy for the entire network, but is disadvantageous for the resources, because they have the same policy applied to them, regardless of their individual requirements. This approach can be referred to as not sufficiently granular, in that access policy is an all-or-nothing affair.
Second, there is a by-resource approach, in which each resource is governed by a separate policy. Management of access policy in such a case is overly difficult and administrator intensive. Each resource must have its access policy set individually. This approach is advantageous for the resources, because they can have individual policies applied to them, depending on their specific requirements. However, it is disadvantageous for the network administrator, who cannot easily administer access policy for the network as a whole. This approach can be referred to as too granular, in that access policy must be set individually, even for like resources. Another problem with this approach is that there may be multiple levels of network administration, and administrators, within the organization, which all must be synchronized to ensure that there is a consistent policy over the organization as a whole.
Some progress in the latter approach has been made in that resources can be grouped together within common policies. However, this improved approach is still lacking. Policies for different groups of resources and users cannot easily be related to one another, and over time likely will diverge even in what should be their common aspects. For example, initially the access policy for a first group may be identical to the access policy for a second group, such that both reflect the general policy for the entire network. Over time, the access policy for each of the groups may be modified as their access needs change. However, there is no way to ensure that the modified policies still accord to the general policy for the entire network. Furthermore, if the general policy for the entire network needs to be modified, this means that the group policies must be individually changed. Therefore, while this approach achieves an intermediate level of granularity as compared to the one-size-fits-all and by-resource approaches, it is still not optimal.
In other words, the prior art does not provide for adequate policy access models in the context of current and future complex network topologies. Current models are either too restrictive—that is, not granular enough—or too lax—that is, too granular—in how they approach access policy. Intermediate approaches to access policy achieve some measure of intermediate granularity, but still are difficult with which to administer a cohesive network-wide access policy. For these and other reasons, there is a need for the present invention.