In networked computer systems, controlling access to various resources is a frequent concern. File servers, databases, websites, applications, and other resources may contain confidential information or data that is not intended to be provided to everyone that can obtain a connection to the information server. Access control refers to the body of software that determines whether any particular requester will be allowed to access any particular resource. In traditional access control, an access control list (ACL) associated with each resource generally contains access control entries (ACE) that specify each entity that will or will not be allowed access. These entities may be users as specified by an operating system or domain controller, groups of users, other computer systems, and so forth.
In enterprise computer systems, when a user requests to access a resource (such as to read a file held on a file server, or to perform a transaction in a business application), an access control decision function (ACDF) will evaluate whether the user's request is to be permitted or denied based on configured access control information. Typically, this function will rely upon a predefined policy, in which the policy references attributes of the user, of the resource, and/or of the request and environmental conditions that will permit access if met. If no policy is found, or if the policy does not grant access, then the user is unable to access the resource. In cases where the policy is incompletely specified, legitimate business activities may be blocked until the policy owner revises the policy. In cases where an organization has a requirement to restrict access based on numerous factors of request parameters or environmental conditions, then a policy may become needlessly complex in order that an automated access control decision function could implement it.
Some systems, such as MICROSOFT™ SHAREPOINT™, have an option for the requestor to send to the resource owner an email at the point when access is denied. If the resource owner agrees with the contents of the email, then the resource owner may change the policy such as to make a one-time grant of access to the requesting user. However, this may introduce unknown delay to the requesting user, who does not know when the resource owner may next read email or how long it will take the resource owner to decide. If the resource owner is currently away from email for an extended period (e.g., on vacation or leave), then the requesting user has no recourse at this point and may not even be aware that no one is actually reviewing the request. This model of communication is no longer aligned to today's expectations for working, in which employees may be assumed to be online most of the time, carrying one or more mobile devices with them.