The invention relates to computer systems, and more particularly, to a method and mechanism for managing and accessing attribute information for users and applications in a distributed computing environment, such as a distributed database environment.
In a distributed computing environment, it is often advantageous to centralize the management of attribute information for users and applications. One approach for centrally managing user information is to maintain this information in a central directory information system (e.g., an LDAP directory). An exemplary system for managing user information using a directory information system is described in U.S. application Ser. No. 10/084,880, filed on Feb. 27, 2002, which is hereby incorporated by reference in its entirety as if fully set forth herein.
When a user connects to a computing system, e.g., a database system, it is often desirable to set up the user's context during initialization based upon the user's identity. One approach to setting up the user's context involves creating a program to manually extract the needed user information from a repository for each user that connects to the system. This manual process is often time-consuming, tedious, and prone to errors. In addition, since each application may need to set up application specific attributes in a non-uniform manner and may access different repositories, the program code may be nonstandard and not reusable; thus, the program may have to be rewritten for each different application. Moreover, this approach presents possible security risks since each user/application that executes the program must be given sufficient authorizations/privileges to access the central repository. This is particularly troubling if any administrators or locations that grant this “trusted status” to a user/application have lower security precautions in place than at other locations.
Accordingly, the present invention provides an improved method and system for centrally managing and accessing attribute information in a distributed computing system. In one embodiment of the invention, applications set up application specific user attributes in an LDAP enabled directory. When an application user connects to a database server, the server automatically accesses the directory to identify the relevant user attributes for that application. These user attributes are stored in the session context. In one embodiment, standard LDAP attributes are also retrieved from the directory and stored in the session context. In one embodiment, the standard LDAP interface can be used to interface with the repository. Because the database server performs the necessary extraction from the repository, security is preserved since only the trusted database performs the actual access of information from the directory. Further details of aspects, objects, and advantages of the invention are described below in the detailed description, drawings, and claims.