In a system with a fine grained robust security model, the processing required to make authorization decisions can be intensive. For example, a security model with access control lists (ACL's) could contain large numbers of ACL entries. An authorization decision would potentially require evaluating each entry in the ACL against the security protections to reach a result.
If the model also supported concepts such as time of day restrictions, or accessing application rules, computational costs would be further increased. Finally if the authorization engine was external, required system process context switches, or utilized network services, the cost for full authorization processing would become substantially greater.
In processing systems, there are often resources that are frequently and repeatedly accessed. This trait is very common in computing file systems where a core set of file system resources are repeatedly access for recurring tasks such as invoking programs, accessing user attributes, or accessing network services. Some examples from the UNIX operating system include, /etc/passwd, /etc/group, /etc/hosts, and /usr/lib/libc.a. This can be especially true in a security model that supports inheritance of policy along a hierarchical path to a resource. With an inheritance model, an access control list (ACL) would control the authorization for a directory. That ACL would apply all file resources lacking a specific ACL which reside the below the protected directory in the file tree. In this case, one ACL defines access on a large number of file system resources.
In the context of authorization of resources, typical prior solutions employ a brute force method. When a user requests a certain resource, the operating system must determine the applicability of the request based on many parameters. These parameters include the user, the application being used, the actual resource requested, time constraints, and location constraints, wherein a user may only use certain resources through usage at or through a certain computing device.
Some systems employ complex authorization control lists to simply search for authorization rules and guidelines. Others may employ database methods or built in scripting services to perform the same function. When many parameters are used, these solutions prove inefficient both in time and effort. When a single machine is used for authorization decisions for a network of machines, the complexity rises immensely.
Additionally, these solutions only employ these roles in a rote way. As such, a user must initiate the authorization process all over again when he breaks in the action. As such, the time that the system could use elsewhere is dedicated to reformulating authorizations all over again needlessly.
In some systems, the authorizations are on a resource by resource basis. Others may use inherited authorization techniques, wherein a directory contains a file describing the appropriate authorization parameters for unattached files in directories below it. In other uses, a combination scheme employing two or more parameters, such as the ones described above, may be used.
As noted, the authorization schemes of many typical solutions have problems associated with computational efficiency. Many other problems and disadvantages of the prior art will become apparent to one skilled in the art after comparing such prior art with the present invention as described herein.