1. Technical Field
The invention relates to accessing information from a directory structure in a computer environment. More particularly, the invention relates to controlling access to data within an LDAP directory structure in a computer environment.
2. Description of the Prior Art
A Lightweight Directory Access Protocol (LDAP) directory (such as Netscape Communications Corporation""s Directory Server) is a collection of xe2x80x9centries.xe2x80x9d Each entry has a name (called the Distinguished Name) and a list of attribute values. The entries in a directory are organized in a tree structure, with major groupings that are subdivided into smaller units. A directory might contain several organization entries, each of which contains several organizationalUnit entries. These entries can be further subdivided.
LDAP provides search operations that can be performed over specified portions of the directory tree. Trees and subtrees, therefore, are a natural way to deal with data stored in an LDAP directory.
Entries and attributes correspond to a wide variety of data types such as personnel information, server configuration, business relationships, and user preferences. Since all entries are stored within a single directory, a method is required to restrict the availability of specific information to authorized users.
The method used to control access is via Access Control Lists (ACL). The Directory Server Administrator (DSAdmin) creates some basic ACL rules that grant permission to certain users to access various information in the directory. Most of the security considerations will require from tens to hundreds of rules to implement. The smaller number of ACL rules offers better performance and easier manageability.
Because a directory is the critical central repository in an intranet containing collections of information, e.g., about people, it is imperative that a rich set of access options/features be provided.
A medium to large company may have thousands of departments. Consequently, the DSAdmin has to create thousands of groups and ACL rules to handle those departments. Additionally, if a person leaves or joins the company, the DSAdmin must delete or add that person to a (possibly large) number of groups.
It would be advantageous to provide a access control via properties system that gives the system administrator the ability to easily specify particular information in a directory that are accessible by users that have a specific set of attributes. It would further be advantageous to provide an access control via properties system that reduces the burden on the system administrator and server of maintaining and storing the large number of groups, roles, and access rules that are traditionally required to support large directory systems.
The invention provides an access control via properties system. The system provides a simple command language that allows a system administrator to manage access to directory information by easily specifying the particular directory information and the desired attributes of the users that are allowed access. In addition, the invention provides a system that does not require the large number of groups, roles, and ACL rules needed by traditional approaches to support a directory system.
A preferred embodiment of the invention provides ACL rules based on the properties associated with the entries, thereby taking advantage of the fact that there are inherent properties associated with each entry. The invention does not require any changes to the schema. Rather, once the server supports the invention, the system administrator creates a few simple ACL rules and is done.
The invention structures the ACL rule such that it indicates the attributes that the administrator has selected for user access. The administrator specifies the type of access to be granted to a user which can include: read, write, or any other privileges that the system supports. The desired attributes that the user must have to be granted such access is also listed.
The attribute fieldname associated with the desired attributes is specified in the access control command. The directory server will match the desired attributes within the specified attribute fieldname with the user""s attributes. It will allow access to the directory entry only if the user has the desired attribute values.
Alternatively, a match function can be specified for the desired attributes. The directory server matches the desired attributes with the user and the owner of the list of attributes and allows access to the directory entry only if the both the user and the owner have the desired attribute values.
When a user accesses a directory entry, the directory server selects and analyzes a specific access control command according to the attribute being accessed.