Multi-user computer systems and systems connected to a multi-user network of computers require the ability to control and restrict access to various components and services provided within the computer system. Windows NT.RTM. is an operating system available from Microsoft Corporation, Redmond Washington, and is an example of a multi-user system implementing access control. Several reasons exist for providing access control, however primary reasons are to protect the privacy of each user's data, and to protect system data from intentional or inadvertent corruption causing system failure or inefficient operation.
Examples of the components typically requiring an access control mechanism include file systems, electronic mail (E-mail) services, directory services, and database systems. Each of these services is typically managed by a separate program within the operating system, and each typically provides its own access control mechanism.
Each of these components is generally represented by objects having a plurality of properties describing various aspects of the object. For example, a file system, as is known in the art, is typically comprised of a set of folders organized in a tree structure. The folders contain files. Objects representing folders and files typically have properties such as the creation date and time, the last modification date and time, the last access date and time, the file size, an indicator of who owns the file or folder and multiple data streams associated with the file.
Another example is a directory service. Directory services maintain a database of objects describing various resources available on the computer system. The Active Directory.TM. system available from Microsoft Corporation, Redmond Washington provides such a service. Directory services typically need to maintain a variety of objects to represent the various types of resources available on modem computer systems. One example of such an object represents a system user. A user object in the directory service will typically be defined by properties comprising the user's name, E-mail address, company postal address, physical office location, telephone number, and the user's password in encrypted form. The list provided is meant to be representative of the types of properties, and does not necessarily include all the properties of a directory entry.
Typically, there are several major concepts common to access control systems provided by prior systems. The first concept is that users of the system are assigned a user identifier (USERID). The USERID uniquely identifies a user to the system. The USERID is used to control and track access to the various components of the computer system. The USERID is generally associated with a password, which must be correctly supplied before a user is allowed access to the system.
In addition to the USERID, some operating systems, including Windows NT.RTM., also support the concept of a group identifier (GROUPID). A group identifier allows the system to treat a related group of users in a similar way. For example, there may be a group of users assigned to a backup group whose function is to provide daily backups of the data contained within the computer system. Since the members of this group would all need similar system permissions, it is easier and more convenient to include them in a user group and assign the permissions to the group, rather than to each individual within the group.
The second concept supported by access control systems is the concept of access rights associated with an object. Access rights define who is allowed to manipulate an object. In the context of a file system, access rights associated with files include the right to create a file, read a file, write a file, update a file, and delete a file. In the context of a directory service, access rights associated with directory entries include the right to create an entry, read an entry, update an entry, and delete an entry. Access rights are also referred to as access control rights, or permissions.
Access rights are typically granted or denied based on the USERID or GROUPID associated with an application making a service request.
A primary problem with the above-described mechanism is that the rights are associated with the whole object. In other words, the same permission applies to each and every property defined in the object. For example, a user having write attribute permission for a file, can also update the creation, modification and access times associated with the file.
The problem is more acute with a directory service. Directory entries typically contain a number of properties with varying purposes. As a result, many different sets of users need to read and write the properties. For example, a building receptionist may be interested in updating the telephone number and office address properties of an employee's directory entry, while a system administrator may be interested in maintaining the E-mail and password properties within the same employee's directory entry. In prior systems, both the receptionist and the system administrator would need to be granted write access to the object's entire set of properties in order to perform their respective functions. This leads to the potentially undesirable result of the receptionist having the ability to update the user's password and the system administrator inadvertently updating the user's telephone number.
A secondary problem with the access control mechanisms of prior systems is the fact that each service provides its own access control mechanism. For example, the file system service, directory service, E-mail service, and database service each provide its own access control methods and procedures. This leads to inconsistencies between the services, and also to redundant code.
Therefore, there is a need in the art for an access control system that provides a mechanism for defining a higher granularity of access control rights for a service. The system should support previous mechanisms where the access rights apply to the entire object. In addition, the system provides a consistent, non-redundant interface.