1. Field of the Invention
This invention relates to a method that effectuates the handling of user group membership information in a heterogeneous information technology (IT) environment having multiple authentication sources.
2. Description of Background
A heterogeneous authentication environment in an information technology (IT) organization is supported by multiple authentication sources like Lightweight Directory Access Protocol (LDAP) servers, NIS and many custom application authentication sources. Users of desktop and web based applications in such an environment are located in one or many of these authentication sources. Many of these authentication sources support the notion of user groups to logically group the users based on certain attributes of the users (ex: Marketing department users, MIS users, System Administrator users etc). The user groups of the users of desktop and web based applications are also defined in one or many of the authentication sources in the IT organization. Managing the privileges of users who are members of these user groups can be difficult for the security developers of desktop and web based applications especially when user group memberships change dynamically due to changes in roles or responsibilities of users in the IT organization.
Many desktop and web based applications get around this problem by periodically importing their user group membership information from the authentication sources of the IT organization. They use tools like scripts, and background processes to accomplish this task. There are many problems with this approach. One such problem can be that the user group membership information accessed by the applications is outdated and or incorrect, if the System Administrator modified information immediately after the import of the user group data is performed by the application.
Another such problem can be that the user group membership information is duplicated in the applications and in the authentication sources, which sometimes result in incorrect resolution of privileges, inherited through the user groups.
As such, the aforementioned problems and long felt need for a better method of handling user group membership information in a heterogeneous IT environment in part gives rise to the present invention.