1. Field of the Invention
The field of the invention is data processing, or, more specifically, methods, apparatuses, and products for assigning ACLs to a hierarchical namespace to optimize ACL inheritance.
2. Description of Related Art
IBM Tivoli® Access Manager includes a body of applications for implementing security policies on applications, such as web portals, operating systems and other applications. Security policies are applied by Access Manager by attaching access control lists (ACLs), protected object policies (POPs), and authorization rules to the objects within the object space that represent the physical resources to be protected. An ACL is a data structure informing software implementing security policy such as Access Manager of the permissions, or access rights, that a user or group has to a specific object, such as a directory or file. Each ACL has one or more ACL entries that describe users and groups whose access to the object is explicitly controlled by the ACL, the specific operations permitted to each user or group and the specific operations permitted to other special and unauthenticated users.
Access Manager uses a hierarchical namespace implemented as a virtual object representation of resources called the protected object space and implements ACL inheritance. ACL inheritance provides a vehicle to reduce the number of ACLs attached to objects in the hierarchical namespace. Objects in the hierarchical namespace that are not assigned an ACL inherit the ACL assigned to the node above the object in a tree structure representation of the hierarchical namespace. Currently techniques exist for defining the tree structure of the hierarchical namespace and the attached ACLs, but such techniques do not provide a mechanism for attaching the ACLs to the tree that optimizes ACL inheritance. There is an ongoing need for a method, apparatus, and computer program product for assigning ACLs to a hierarchical namespace to optimize ACL inheritance.