Internet Service Providers (ISPs) and Application Service Providers (ASPs) offer a variety of services through the World Wide Web. As a matter of business practice, access to these services may be controlled to admit only users who meet certain qualifications or who have established themselves as paying customers. In general, controlling access has two aspects—authentication and authorization. Authentication is the process of verifying a user's identity, and is typically satisfied when the user proffers an account identifier such as a “USERID” and password. Authorization is the process of verifying that the user, once properly authenticated, has privilege to access a particular service.
It is important to note that authorization decisions are binary. The binary nature of authorization—a user is either authorized to access a particular service, or not—constrains the service provider's options. Rather than have all authorization decisions be binary decisions, a service provider might prefer instead to authorize a particular user to access a selected service under certain conditions, and yet deny the same user authorization to access the same service when conditions change. For example, a service provider might make authorization to access a particular Internet service dependent upon time of day, granting around-the-clock authorization to access the service only to users who agree to a premium billing rate, and granting other users authorization to access the service only at certain times of the day.
In principle, a condition of authorization such as time-of-day dependence might be imposed by adding a parameter to a user's directory services profile, and checking this parameter before granting authorization to access a selected service. For example, a particular user's directory services profile might show that the user has authorization to access a chat room between 7:00 PM and 8:00 PM. When such a user selected the chat room service, the current time of day would be compared with the conditions of authorization in the user's directory services profile, and authorization to access the chat room would be either granted or denied depending on the outcome of the comparison.
A significant problem arises, however, when a user's authorization to access a service needs to be revoked mid-course through a session rather than denied at the beginning of the session. For example, the user mentioned above would be authorized to access the chat room at 7:25 PM. At 8:00 PM, however, the user's access to the chat room should be revoked or terminated.
Notwithstanding, revoking access is easier said than done. When a service provider supports hundreds of thousands of users, considerations of processing efficiency become paramount—with today's technology, it is not practical to periodically poll hundreds of thousands of session objects and variables to maintain globally correct access information and access authorizations.
Thus, there is a need for a way of controlling authorization to access Internet services that empowers service providers to manage session objects efficiently and dynamically to grant, deny, and terminate-mid-course access authorizations for members of large populations of users, wherein a service provider does not incur the processing burden of periodically polling a large set of session objects and access-control variables.