The present invention relates generally to the useful art of computer software programming and more specifically to software relating to computer networks.
Computer networks are established for, among other reasons, organizing and controlling access to the network's system resources. These networks are typically setup by an administrator and provide access to a defined number of users. However, since these users often have different needs concerning use of the network, administrators usually define network access policies to customize a user's ability to selectively access certain system resources. Such customization also helps to ensure a more secure and efficient network. To implement this customization, the administrator grants and restricts access to certain system resources by applying network access policy rules to a user's network account. Thus, when a user logs into the network, these rules are applied and the user's ability to access system resources is limited accordingly. A plurality of these rules is typically stored in a knowledge base connected to the network.
While different rules are often applied to different users individually, it is also advantageous to create user groups having defined network access rules. For example, a network used in a corporation may have groups such as “Marketing,” “Accounting”, and “Information Technology (IT)” into which a user may fall. The Marketing group would then have, for example, rules granting its users with access to the marketing server, but also rules for limiting access to unnecessary servers (i.e., the accounting server). Users in groups such as IT likely need access to a much broader array of system resources to troubleshoot IT issues. Thus, depending on a user's needs, different network access rules are associated with each user.
In another example, consider the system resource of network bandwidth. To regulate access to network bandwidth, a limit can be placed on a user's download speed, thus reducing the amount of bandwidth utilized by that user at any given time. For example, a network access rule could limit downloading speed to 200 Mbps for one user (or user group), but only 10 Mbps for another user (or user group).
However a problem exists when two conflicting rules are applied to the same user. Consider the above example with a user who falls into both Group A (which limits download speed to 200 Mbps) and Group B (which limits download speed to 10 Mbps). In such instances, the conflict is resolved in one of two ways. Either the first rule to be applied takes priority and is controlling, thereafter ignoring all other conflicting rules, or each rule is applied in order, thereby continually overwriting the last applied rule. Effectively, the latter situation results in the last rule being applied as the one that controls.