The present invention relates generally to administration of network environments, and more particularly to delegation of administrator powers in network environments.
Enterprise computing is evolving from a centralized, mainframe-based model, to distributed client-server and Internet based computing. These trends generally are increasing the complexity of managing enterprise systems and infrastructures. Management challenges for such enterprise systems are further increased where the network environment includes features such as corporate web farms, large-scale intranets, e-Commerce applications, on-line customer relationships, remote sales offices, integrated business partnerships and extended supply chains. Such an extended enterprise network environment is schematically illustrated in FIG. 1. Thus, it is desirable for enterprise systems and applications to reach beyond the walls of the traditional enterprise definition. In light of these enterprise network environment trends, network administrators are increasingly challenged in their efforts to simplify administration tasks, increase security and reduce network costs.
Various approaches have been taken to expand upon the earliest models for network administration, such as various Windows products from Microsoft Corporation which provided for specific users with extensive administrative powers designated on the system as administrators while other users are denied access to these administrative powers. Thus, security and administration of the network environment in such products is provided by bifurcating users into administrators who have full administration authorities and users with no such authority.
Given the increased reliance on and complexity of the enterprise network environment, improvements to this basic administrator/user model have been provided in an attempt to allow controlled delegation of administrator authorities to designated users without requiring that such users be provided full administration powers and authorities over the network environment. Examples of such known approaches include the Windows 2000 Active Directory from Microsoft Corporation and the enterprise administrator previously offered by Mission Critical Software (now NetIQ Corporation) of Houston, Tex.
Active Directory is a feature supporting administration tasks. The Active Directory is a directory service that is integrated with Windows 2000 Server and offers hierarchical views, extensibility, scalability, and distributed security to business customers. The directory service is integrated with both Internet and intranet environments, provides intuitive naming for the objects it contains, scales from a small business to a large enterprise, works with familiar tools, such as Web browsers, and provides open application programming interfaces. In essence, Active Directory allows management of an enterprise environment by making a variety of objects be presented like a file directory.
To provide administrators with the power to create their own directory object types, the Active Directory is extensible through a schema mechanism. If a user has an important piece of information that the user wants to publish in the directory, he or she can create a whole new object type and publish it. For example, a wholesale distributor may want to create a warehouse object to put in its directory, with information that is specific to that business. New object classes can be defined and instances added.
The directory services themselves define a wide variety of classes. For example, the Active Directory provides standard objects for Domain, Organization Units (OU), User, Group, Machine, Volume, and PrintQueue, as well as a set of xe2x80x9cconnection pointxe2x80x9d objects used by Winsock, Remote Procedure Call (RPC), and Distributed Component Object Model (DCOM) services to publish their binding information.
The Active Directory provides an administration structure that allows for some decentralized administration generally without compromising security. Because each domain is a security boundary, multiple security boundaries are possible. With this design, administrators in domain A are not generally automatically administrators in domain B. The container hierarchy may be important where the scope of administration is the domain, and the administrator of a domain has authority over every object and service within that domain. The Active Directory grants privileges to users based on the specific functions they must perform within a given scope. Administrative scope can include an entire domain, a subtree of OUs within a domain, or a single OU.
With the Active Directory, large structures of users can be created in which each user can potentially access all of the information stored in the directory, but the security boundaries remain clear. Security boundaries can also be much smaller than domains. For example, when a user account is created, it is associated with a particular domain, but it can also be put into an organizational unit. Permission to create users in an organizational unit can be delegated, allowing someone to create users or other directory objects in one place only, with rights within that OU only. In addition, OU hierarchies can be created. The Active Directory provides specific permissions which can be delegated and restricted in scope. However, Active Directory still uses a static membership approach with Access Control List (ACL) based management. An ACL is a table which identifies access rights of a user to objects in Active Directory.
The Active Directory uses multimaster replication. Some directory services use a master-slave approach to do updates: all of the updates must be made to the master copy of the directory, and these are then replicated to the slave copies. This is generally adequate for a directory with a small number of copies and an environment where all of the changes can be applied centrally, but this approach does not typically scale beyond small-sized organizations, nor does it address the needs of decentralized organizations. Because the Active Directory offers multimaster replication, individual changes made in one copy of the directory are generally automatically replicated to other appropriate copies of the directory, whether connected via point-to-point or store-and-forward links.
Windows 2000 also provides a Security Configuration Editor designed to allow a user to perform configuration at a macro level. In other words, the editor allows a user to define a number of configuration settings and have them enacted in the background. With this tool, some configuration tasks can be grouped and automated using a macro-based station over the ACL-based Active Directory; they may, therefore, no longer require numerous, iterative key presses and repeat visits to a number of different applications to configure a group of machines.
Windows 2000 also provides Group Policy and Security Groups, which can be used to filter Group Policy by using membership in Security Groups and setting ACL permissions. Doing so enables processing of Group Policy Objects and allows Group Policy to be applied to Security Groups. By using ACLs and Security Groups, you can modify the scope of Group Policy Objects.
Finally, Windows 2000 provides a Microsoft Management Console (MMC) that is an (ISV)-extensible, common console framework for management applications. MMC itself does not supply any management behavior, but instead provides a common environment for Snap-Ins. Snap-Ins define the actual management behavior. Snap-Ins are administrative components integrated into a common host (MMC). The MMC environment may provide for seamless integration between Snap-Ins, even those provided by different vendors.
The Enterprise Administrator (EA) product also provided for some delegation of powers and automation of procedures to facilitate administration of an enterprise network environment. More particularly, EA provided rules based delegation of powers to users to allow for limited delegation of administrator powers to various users. A set of pre-defined policy rules were also provided to control the exercise of such powers by authorized users in accordance with the established policies. However, the delegation rules were based on the identification of the entities (such as users) requesting the exercise of the administrator powers and the target object to be affected. Like Active Directory (which uses ACL tables), the properties of the target object were not accessed for use in determining the authority of the requesting entity. In addition, EA did not support seamless customization of policies by a customer.
EA did support limited automation of procedures as well as delegation of powers. In other words, some grouping of tasks was provided for execution of requests by authorized users which complied with the policy rules. In particular, EA provided user exits. These exits were out of process, asynchronous command launches and were generally only performed after the associated operation had completed. The user exits essentially allowed running a batch command and had hard-coded parameters passed to the user program. They were also limited in that only specific operations could actually be extended, such as user create, user delete, etc. In addition, automation was supported for creating and deleting home directories and shares associated with the user create, update and delete operations.
Accordingly, a need exists for further capabilities to support delegation of administration powers in a network environment.
Embodiments of the present invention provide methods, systems and computer program products for distributed administration of a network environment having defined administrator authorities. A plurality of entity objects associated with the network environment are provided having an identifier and properties. The entity objects in at least some cases not having the administrator authorities of the network environment. A plurality of administration powers for the network environment are also provided which establish the properties of selected ones of the plurality of entity objects using the administrator authorities of the network environment. A plurality of rules are defined specifying ones of the plurality of entity objects authorized to invoke ones of the plurality of administration powers to establish properties of target ones of the entity objects. In various embodiments, such rules are based on one or more of the properties of the target ones of the entity. A request is received to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects at an administrator application executing on the network environment.
The administrator application identifies one of the plurality of rules associated with one of the plurality of administration powers for the one of the properties and obtains the at least one of the properties of the target one of the entity objects designated by the identified rule. The administrator executes the identified one of the plurality of rules to determine if the requesting one of the entity objects is authorized to invoke the associated one of the plurality of administration powers to establish the one of the properties of the target one of the entity objects based on the obtained one of the properties of the target one of the entity objects and establishes the one of the properties of the target one of the entity objects if the requesting one of the entity objects is authorized.
In further embodiments the entity objects are file objects or are account objects, resource objects or exchange objects. Account objects may include users and the requesting one of the entity objects may be a user.
In other embodiments, active objects are defined which are each associated with a plurality of the entity objects. One or more of the rules specifies one of the active objects as a target one of the entity objects. A wildcard identifier may be provided defining a criterion for one of the properties and at least one of the rules may associate the wildcard with the requesting entity object to designate a property of the target entity object used to determine if the requesting one of the entity objects is authorized to invoke the associated one of the administration powers to establish properties of the target entity object based on the one of the properties associated with the criterion. The account objects may have a property designating one of the users as a manager and the wildcard identifier may authorize designated managers of account objects to invoke the associated administration power of the rule associating the wildcard with the requesting one of the entity objects.
In further embodiments of the present invention, a plurality of policy objects are provided constraining invoking of ones of the administration powers by authorized entity objects. Operations for establishing the one of the properties of the target entity object are preceded by determining if any of the plurality of policy objects apply to the request based on the requesting one of the entity objects, the target one of the entity objects and/or the one of the properties of the target one of the entity objects to be established. It is determined if policy objects which apply are satisfied and the one of the properties of the target one of the entity objects is established if the policy objects which apply are satisfied. The one of the properties of the target one of the entity objects in various embodiments may be established if all or any one of the policy objects which apply are satisfied. One or more of the policy objects may be associated with a user defined script which is invoked if the policy object applies. The user defined script may populate the request to allow establishing the one of the properties of the target entity object.
In other embodiments of the present invention, a plurality of trigger scripts are provided at least some of which include one or more of the administrator authorities and at least one other executable action to be invoked. A trigger script associated with a received request is invoked to establish a property of a target entity object. The trigger scripts may be revokable and actions performed by the invoked trigger script may be revoked if an error is encountered during execution of the invoked trigger script.
In further embodiments of the present invention, a plurality of rules are defined which provide constraints on invoking associated ones of the administration powers based on a requesting one of the entity objects. The entity objects may be file objects and one of the administration powers may be to establish permissions for files. One or more rules may be defined which authorizes requesting entity objects to establish permissions over a file for one or more of the target entity objects for either only a subset of user entity objects or only a subset of file permission characteristics. In various embodiments, the entity objects are account objects including users and one of the administration powers establishes a user storage quota. One or more of the rules establish limitations on a range of values which may be provided as a user storage quota by a requesting entity object.
In further embodiments of the present invention, the entity objects are account objects and properties of one or more of the account objects are administered by more than one application program. Virtual property objects are provided linking respective properties from one of the application programs to another of the application programs so as to present properties from the one of the application programs and the another of the application programs to a requesting one of the account objects without distinguishing the application programs administering the properties. The virtual property objects may be provided by an administrator application executing as a server application on the network environment.
In other embodiments of the present invention, systems are provided for distributed administration of a network environment having defined administrator authorities. A plurality of entity objects associated with the network environment are provided which have an identifier and properties. Various of the entity objects do not have the administrator authorities of the network environment. A plurality of administration powers for the network environment are provided which establish the properties of selected ones of the entity objects using the administrator authorities of the network environment. A plurality of rules are provided specifying ones of the entity objects authorized to invoke ones of the administration powers to establish properties of target entity objects based on one or more properties of the target entity objects. A presentation layer receives a request to establish one of the properties of a target one of the entity objects from a requesting one of the entity objects and provides information to the requesting one of the entity objects.
A business layer identifies one of the rules associated with one of the administration powers for the one of the properties, obtains the at least one of the properties of the target entity object designated by the identified rule from a data layer, executes the identified one of the rules to determine if the requesting entity object is authorized to invoke the associated one of the administration powers to establish the one of the properties of the target entity object based on the obtained one of the properties of the target entity object and establishes the one of the properties of the target entity object through the data layer if the requesting one of the entity objects is authorized. A data layer interfaces the business layer to resources of the network environment and obtains the at least one of the properties of the target entity object designated by the identified rule responsive to a request from the business layer and establishes the one of the properties of the target entity object responsive to the business layer.
While described above primarily with reference to methods, systems and computer program products are also provided.