Large computing environments can comprise a plurality of entities such as computing devices, user accounts and users. Computer devices are often called hosts. A host may also be a virtual computing device (a virtual machine) or a container such as a Linux™ container or equivalent within a physical computing device. Each host may comprise or be associated with one or more user accounts, processes, and/or files. Hosts, user accounts, and other entities in the environment may be associated with groups, e.g., user groups.
Various arrangements for accessing entities in computing environment by other entities can be configured. Example of these include web-based access, security protocol (e.g. secure shell protocol; SSH) based access, file transfer access, remote procedure call access, and/or software upgrade access. Such access may be used by, e.g., end users, automation, and/or by system administrators.
Configuring and/or gaining access to a particular entity such as a computing device or a set of computing devices can be provided in different ways. Different ways of configuring access include configuring by using local files on a server (possibly in combination with local clients on the client device), configuration information in directories (e.g., Active Directory, LDAP (Lightweight Directory Access Protocol) directories, NIS (Network Information System) directories), and/or databases. Many forms of configuration can be used simultaneously. Often configuration further relies on configuration data not necessarily perceived as a part of access configuration, such as DNS (Domain Name Service), DHCP (Dynamic Host Configuration Protocol), shared file system configuration, and even configuration of switches and routers in the network.
Regardless of the manner how access is provided access relationships can be formed between various entities of a computer system. An access relationship is understood to refer to a relationship between a source entity and a destination entity such that the access from the source entity to the destination entity is permitted. Access relationships are hence sometimes called trust relationships.
Information on access relationships between entities exists in computer systems. Access relationships can be based on security credentials such as keys used by the entities.
Access relationships can form chains. Such chains of access relations can also be referred to as chains of trust. Such chains of trust may not be intended to exist but may have been created accidentally and independently from each other. The chains can also become long, complicated, have different originators and so on. There may also be chains which have lost their original purpose when changes occur in one of the nodes of the trust chain. This all adds to the difficulty in managing trust relationships in a network system.