There sometimes exists a need for a secure access management system in which multiple individuals or entities are able to grant access rights to other individuals or entities pertaining to different restricted objects, such as data objects, software or portions of software functionality. One feature that would be desirable within such systems is an ability to easily determine whether one or more access grants previously have been made, thereby allowing grantors to avoid making redundant access grants.
Often, the restricted objects (e.g., data and/or software programs) are structured so as to include a large number of different components that are interrelated with each other, e.g., in a hierarchical manner. A typical example is a data file system in which a root directory includes files and folders, with each of those folders including other files and sub-folders, and so on.
In any event, it sometimes is desirable to restrict access to the individual components across a large number of people or other entities. For example, within an organization it might be desirable for the accounting department personnel to have access to one set of folders and/or files, while the personnel department has access to another, potentially overlapping, set. In addition, it might be desirable for individuals within those departments to have different abilities to access information, e.g., on a need-to-know basis.
Similar considerations apply to software functionality. For example, it might be desirable for customer service personnel to have access to all customer data, but with software functionality that only permits them to view one customer's data at a time, while individuals responsible for policy setting might not need to have access to functionality that retrieves individual customer data but only functionality that aggregates customer data to produce summary reports.