1. Technical Field
The present invention relates to security access systems. More specifically, this invention relates to providing security for multiple heterogeneous domains from a single source.
2. Description of Related Art
As e-business becomes an ever more necessary part of the business world, managing the available information in a secure manner becomes both a high priority and a source of potential problems. An example can highlight some of these problems.
Alpha Corporation is a large business that has been in operation for many years and prides itself on being at the forefront of information management. Alpha Corporation utilizes a security application, which was configured to a user registry, to maintain the security of a set of network resources in the corporation, such as applications, files, printers, and people. The application that works with the user registry provides a consistent way to describe, manage, and maintain information about these resources in a secure manner. Because of this security application, Alpha Corporation can be sure that access to sensitive information, whether it is technical information about developing products or personnel records, are handled appropriately. Alpha Corporation has been very happy with their security application, but they recently acquired the small Beta Company, then a few months later they merged with Gamma Corporation in order to gain a better position in the market. Beta Company runs a security program that also uses a user registry to control access—but it is not the same configuration structure as Alpha Corporation uses. Even worse, the security system used by Gamma Corporation is configured on a different kind of user registry. Alpha Corporation faces the problem of how to support user authentication of all three companies without having to migrate or duplicate massive amounts of data into a single user registry.
FIG. 1 schematically shows the original concept of an application program to handle access to resources within a domain 100. In this concept, each company, e.g., Alpha Corporation, had within its domain, or area of control, a single user registry 102 that stored all the information for that company. In this application environment, the user registry 102 was tied to a number of servers, such as web service applications server 104, authorization Server 106, and other blade servers 108. All information that each server required to authenticate the user of the company was contained within this domain 100 and under its direct control. Each of the servers 104, 106, 108 dealt with a single access control list (ACL) 101 and the servers accessed the same user registry 102 all using URAF (user registry adapter framework) interfaces. No variability was expected or allowed.
FIG. 2 shows a most current existing implementation of an application program to manage access to resources within domain 200. In this implementation, the servers, such as the web service application servers 204, authorization server 206, and blade servers 208 each contain the single ACL 201 and are tied to one and only one user registry option 210. This user registry option 210 determines the loading of the registry adapter 255, 265, 275, or 285 that will be used by the servers 204, 206, 208 to communicate with a user registry 250, 260, 270, or 280. Each of these registry adapters 255, 265, 275, 285 is a communications module that is specifically written for a given type of registry. The registry adapter handles all interoperations and data manipulation between the caller's request, the registry client, and the registry server. A server can be configured to work with any of the supported user registry, but it can be configured to work with only one registry. In the figure, this limitation is shown as a four-way switch, by which the user registry option 210 can be connected to any of four(or more) options, but is connected to only one per instance. For supported user registries, such as lightweight directory access protocol (LDAP) 270, Microsoft Active Directory 250, Domino 260, and other user registries 280, the registry operations in each server will invoke a User Registry Adapter Framework (URAF) interface 217, which will dynamically load the Registry Service Provider Interfaces (RSPI) adapter 255, 265, 275, 285 to interface to a given user registry. Thus, there has been more flexibility in how the server 204, 206, 208 is set up, but once the initial choices are made, there is no variability in handling different user registries. Alpha Corporation would still have a problem trying to manage new user registries.
It would be desirable to have a method of allowing a single server to interface to more than one user registry. This would allow Alpha Corporation to provide user authentication of the companies it acquires or those with which it merges.