As more business is done on computers, and particularly as more business is done and information is exchanged across computer networks, access controls for determining which computer users and software applications may obtain access to which data or other computerized resources across these computer networks becomes increasingly important. Access controls, for example, can control access to pages on the World Wide Web, allowing differential content to be provided to different groups of people, whether they are paying customers who pay for differing levels of access, or to different groups of people who may have rights to differing levels of confidential information. Access controls can also provide differing levels of database access and transaction authorization as well as controlling the flow of information that is broadcast or "pushed" over a computer network such as in electronic publishing and message forwarding.
Traditional systems for managing access to system resources typically use archaic syntax to specify recipients who are entitled to use of or access to information or other resources in a computer system. Reprogramming these systems to adapt to new conditions, such as new levels of access or new groups to whom access is granted, is cumbersome. The need to learn a particular syntax also results in time consuming training and "trial and error" periods for new users of these systems to learn how to use the systems efficiently.
Other systems utilize access control lists (ACLs). In general, ACLs associate names and lists of names with objects for access purposes. In general, inclusion on a list or a list specified in some other list constitutes entitlement. This style of entitlement requires complex list administration in order to represent complex conditions of entitlement, conditions, for instance, where a user characteristic is superceded by some other characteristic.
One problem with access control lists is that they can only represent simple entitlement rules and the ACL approach typically does not allow use of arbitrary functions or conditions when specifying access to or control of a resource. Accordingly, ACLs are not rich enough for sophisticated applications. Access control list systems also cause server performance to degrade when the numbers of users or objects or lists become large, requiring multiple time consuming database select and join operations to be performed serially in order to determine access entitlements. As sites on the World Wide Web become more complex and attract more users, all expecting prompt service from the Web site, the problem of determining user entitlement to an object becomes more acute.
In addition, ACLs generally are not available in encapsulated (object-oriented) implementations, making implementation and maintenance of the ACL software difficult. For these and other reasons, ACL implementations are typically specific to platform operating system or web server implementations.
It would, therefore, be desirable to provide a system that can arbitrate access to particular resources in a system while avoiding or mitigating the problems of prior art systems. Such a system would preferably improve performance where the number of users is large, possibly by requiring only simple database operations that can be performed in parallel. The system should also allow for simple maintenance and update of databases containing access information while at the same time utilizing plain text message entitlement rules and allowing arbitrary functions or conditions to specify access to or control of a resource. The system should also be available in an encapsulated format that is readily deployable on any of a single computer, special purpose embedded applications, a wide or local area network, intranets, the Internet or other networks or systems where user entitlement to resources must be determined.