Controlling user access is a fundamental aspect of network operating system functionality. With the proliferation of computer networks serving large numbers of users, access control lists are a fundamental part of managing network traffic as well as security. Users and other entities can be members of a group. Members and groups are represented in computer systems as objects. Members are organized into groups, with each group having certain privileges and access capabilities. Groups can contain subgroups, which introduces increased complexity to the network operating system's access control list implementation.
In current systems where group membership is determined at login time, the system suffers from the serious defect of only finding a limited number of groups to which the member belongs. Simply enumerating all the groups to see which ones the user is a member of is a concept that clearly doesn't scale well, and if nested groups are allowed, enumerating all groups to which a member belongs becomes impossible. Some directory services provide group membership determination at login, but only through database maintenance of back pointers. Such a database must be constantly updated as groups are created, and members join or are removed from groups. This is computationally expensive and requires significant bandwidth across large systems. Lightweight directory access protocol (LDAP) servers are becoming more and more popular among system administrators, but are overwhelmed by the demands and costs of maintaining such a database. Thus, there is a heartfelt need for a mechanism that meets the requirement of computational economy while still managing large and complex access control lists.