The present invention relates to policy management and conflict resolution in computer networks, and more specifically to a general policy management architecture and its applications in various network management fields.
Computer networks allow increased computing power, sharing of resources, and communications between users. These networks have grown to represent large investments on the parts of businesses, governments and educational institutions and these organizations spend large amounts of time and money maintaining their networks. According to industry research, an average 5000-user corporate network costs more than $6.4 million to support each year. Thus, to many network decision makers the real concern, as we head into the 21st century, is not so much migrating to faster technologies such as asynchronous transfer mode (ATM), but reducing the costs associated with supporting and operating the networks they use today.
One of the principle costs associated with maintaining a network is the time spent on reconfiguration. This is not necessarily the replacement of switches, concentrators, bridges, etc., but the adding, moving and changing of users connected to the network. Simply moving a person from one desk on one floor to another desk on another floor may involve changing router ports, routing tables, IP addresses, making desktop changes and even doing some physical rewiring. According to LAN Times, the average cost of adds, moves and changes on today""s router-centric networks has been conservatively estimated at $300-500 per user. With the average company moving each user 1.1 times per year, it is clear where many of the support dollars are going. The administrators overseeing these operations would appreciate a reduction in the time it takes to implement such changes.
As the cost of maintaining networks has risen, the internetworking experts able to oversee such operations are becoming harder to find. Many networks are understaffed to meet the increasing demands placed on them. A management system is needed which allows someone who is not an internetworking expert to perform the more mundane operations, such as moving users around, adding users, or changing the access constraints of specific users.
For example, the ability to connect to a network will often depend on the location from which a user is accessing the network and the destination a user is trying to reach. It is a complicated job to control access between what could be thousands of users, and it is made more complicated by the fact that the same user might access the system from different locations and might need different levels of access as a function of the location. The possible combinations of access increase geometrically because of these xe2x80x9cnomadicxe2x80x9d users.
Thus, it would be desirable to provide an architecture for a management system for controlling, simplifying and/or automating various aspects of network management so that the cost of maintaining the network, and/or using the network, can be better controlled.
The present invention provides a framework for implementing policy in network management. In one embodiment, the framework includes a method for defining network domains, a method for defining rules, a method for attaching rules to domains, and a policy driver to monitor objects, execute rules that are attached to the objects, and adjudicate among conflicting rules.
Given this framework, one developing an application in a particular network management area may ask the following questions:
What are the objects in my application?
What are the attributes of the objects?
What (if any) are the ways in which I should group the objects?
Which attributes do I want to monitor and control?
What are the rules in the rule space?
To which objects in the domain are rules attached?
Which events will trigger the policy driver?
What are the actions I want when rules are triggered?
With answers to these questions, one can develop and implement a policy in a particular management application.
In one embodiment, a configuration application is provided with policies that govern:
The addition of users and resources on the network;
The deletion of users and resources from the network; and
Changes in resource operating parameters.
In a second embodiment, an access/connectivity application is provided with policies that govern:
The access rights of users and end stations to databases, applications, and other users and end stations;
Authentication of users (for security); and
Tracking the usage of network resources.
These and other features of the present invention will be more particularly described in the following detailed description and accompanying drawings.