Current network systems allow trusted relationships to be established between domains of computer systems. A domain of computer systems is a collection of computer systems that share the common attribute of being in the same domain. For example, all the computer systems of a company may form the domain of the company, and the computer systems of the human resource department of the company may form the human resource domain of the company. Oftentimes, users of computer systems in one domain may allow users of another domain to access their resources (e.g., data files and application files). For example, the president of the company whose computer system is in an executive domain may have access to the personnel files (i.e., a type of resource) that are stored on the computer systems of the human resource domain. To allow access to the personnel files, an administrator of the human resource domain may establish a “trust relationship” with the users of the executive domain. Once the trust relationship is established, the president of the company, being a member of the trusted domain, may be able to access the desired personnel files. The administrator of the human resource domain is said to establish an “incoming trust” for the human resource domain with the executive domain, which means that the users of the executive domain are trusted by the administrator of the human resource domain. The administrator of the executive domain could also establish a trust relationship between the executive domain and the human resource domain. This trust relationship would allow the users of the human resource domain to access the resources of the executive domain. In this case, an “outgoing trust” for the human resource domain with the executive domain is established that allows users of the human resource domain to access resources of the executive domain. The “incoming trust” for the human resource domain would be an “outgoing trust” for the executive domain, and the “incoming trust” for the executive domain would be an “outgoing trust” for the human resource domain.
Once a trust relationship is established between domains, access to the resources of the domain with the incoming trust can be controlled by an access control list (“ACL”) or some other control mechanism. For example, a manager within the human resource domain may specify that the president has read-only access to his personnel file and read-write access to the personnel files of the other executives of the company. When the president requests access to his personnel file, the security mechanism of the human resource domain checks the ACL of that personnel file to ensure that the requested access is consistent with the access rights of the president. If not, the president is denied access.
It can be very time-consuming for administrators and users of a domain that has an incoming trust relationship to establish the appropriate access rights to all its resources for all the users of the trusted domain. To help facilitate establishing access rights, at least one network security mechanism provides an “allowed-to-authenticate” access right between computer systems of the domain with the incoming trust and users of the domain with the corresponding outgoing trust. For example, the administrator of the human resource domain may specify that the executives of the company are allowed to authenticate to the personnel server of the human resource domain that contains the personnel files. When the president requests access to the personnel files, the president's computer system first attempts to authenticate to the personnel server. If the human resource administrator has allowed the president the right to authenticate to the personnel server, the network security mechanism authenticates the president to ensure that it is really the president who has requested the access. Once the authentication is complete, the president can then access the resources (e.g., personnel files) of the personnel server in accordance with the ACL of those resources. If none of the resources of the personnel server has an ACL that grants the president access rights, then although the president can be authenticated, the president will not be able to access any of the resources.
The authentication process used by a network security mechanism may be a standard Kerebos authentication technique in which a Kerebos client of the president's computer system provides a user name and password to a Kerebos server of the human resource domain. The Kerebos server validates the user name and password, ensures that the user has the allowed-to-authenticate access rights to the requested computer system, and if so, provides a “ticket” to the user. That ticket is used whenever that user attempts to access a resource of the computer system to which it has been authenticated. If the ticket is valid, then access to the resource is allowed in accordance with the ACL of the resource. If not, access is denied.
Some network security mechanisms store security information, such as allowed-to-authenticate information, for a domain in a central repository using a directory server such as an LDAP directory or “MICROSOFT ACTIVE DIRECTORY.” Each computer system of a domain may have an entry within a central repository that specifies which users of domains with outgoing trusts to this domain are allowed to authenticate to that computer system. For example, the entry for the personnel server of the human resource domain may specify that a group of users, referred to as “executives,” of the executive domain are allowed to authenticate to the personnel server. The entry may alternatively list the user names of each executive. A network security mechanism accesses this central repository whenever a user of a domain with an outgoing trust to this domain requests to authenticate to a computer system of this domain.
Such central repositories of security information store the information for each computer system, but they do not store the information in a way that all the access rights of individual users of domains with outgoing trusts can be quickly determined. To determine the access rights of a user, the entire store of security information would need to be accessed to identify to which computer systems the user has access rights (e.g., allowed-to-authenticate access rights). Because domains can have hundreds of thousands of computer systems and can have incoming trust relationships with many different domains, each with hundreds of thousands of users, the security information of the central repository can be extremely large, and it can take a long time to identify all the access rights of an individual user. For example, in one case, it took a computer program more than three days to compile a list that indicated, for each user with an allowed-to-authenticate access right, the list of computer systems to which the user had the allowed-to-authenticate access right. As a result, some administrators do not use certain security features of network security mechanisms because it is impractical to identify and control the access rights of individual users.
It would be desirable to have an effective way that would allow an administrator to view and control security information for individual users.