1. Field of the Invention
The present invention is directed to technology for determining members of a group.
2. Description of the Related Art
With the growth of the Internet, the use of networks and other information technologies, Identity Systems have become more popular. In general, an Identity System provides for the creation, removal, editing and other managing of identity information stored in various types of data stores. The identity information pertains to users, groups, organizations and/or things. For each entry in the data store, a set of attributes are stored. For example, the attributes stored for a user may include a name, address, employee number, telephone number, email address, user ID and password. The Identity System can also manage access privileges that govern what an entity can view, create, modify or use in the Identity System. Often, this management of access privileges is based on one or more attributes.
Groups can be very useful for managing access privileges and other items. For example, if five persons at a company have similar job responsibilities, they are likely to need similar access privileges. Rather than configure each person separately, a group can be created and each of the five persons can be added to the group. An administrator then only needs to configure the system for the single group's access privileges, instead of five separate persons. Groups can be used for any subset of access privileges. Groups are also popular for mailing lists.
A user can become a member of a group by explicitly identifying that user as a member. This is referred to as static membership. There are at least two additional means for a user to become a member of a group. First, a rule can be set up that defines who can become a member of the group. Use of such a rule is referred to as dynamic membership. Additionally, a first group can be a member of a second group, causing all of the members of the first group to be members of the second group. The members of the first group are said to be nested members of the second group, while the first group is said to be a group member of the second group.
One service of an Identity System that could be useful to a user is to provide, on demand or automatically, an identification of the members of a group, including static members, dynamic members or nested members. A list of static members is generally stored with the group identity information. The rule for dynamic membership, stored with the group identity information, can be used to determine the dynamic members. However, nested membership is more difficult to determine since there can be many levels of nesting and many nested groups at each level.