As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
Information handling systems often interact with each other and with peripherals through networks, such as Ethernet-based wire line networks or 802.11-based wireless networks. Businesses have found that networking information handling systems improves productivity by better managing information for the coordinated activities of employees. Often, business networks become quite large, supporting a substantial number of users across multiple servers and multiple locations. Typically, different users are provided with varying levels of access to various network resources, such as devices or applications, by defining specific privileges associated with each user. For instance, privileges define information approved for access by a user, such as sensitive business information having access limited to executives, officers or directors of the business, or sensitive personal information having access limited to human resources personnel. As another example, privileges define actions approved for access by a user, such as approval to set and alter system configurations limited to information technology administration. Often varying groups of employees are assigned varying privileges so that a given network user may belong to several groups with each group having one or more associated privileges. Such groups of employees having a particular level a privileges for a particular network resource, such as a device or application, may be identified by various labels, such as “administrators,” “power users,” and “guests,” for example.
One difficulty with having varying levels of privileges that govern access to a network is managing the users or groups of users associated with each privilege. Typically, user privileges are tracked in a network privilege directory (or directory services) database, such as the ACTIVE DIRECTORY database from MICROSOFT. A user who seeks to access a privilege through a network has the access confirmed through user privilege data stored in the network privilege directory. However, local configuration of user privileges presents a substantial network management challenge of keeping up with employees who join and leave a business and tends to detract from the convenience of a common directory database for controlling user accesses. In particular, defining cross-domain user groups is difficult, often requiring re-creation of user groups in each domain, a costly and time-consuming process. An alternative is to define universal groups that work across domains, however, defining and maintaining universal groups of users for more centralized management of network accesses also faces difficulties. For instance, universal groups replicated to an ACTIVE DIRECTORY Global Catalog causes bloat and requires that any changes to user access privileges be replicated to the global catalog before becoming effective, presenting security problems until replication is complete. For this and other reasons, information technology administrators tend to avoid using universal groups.
Another difficulty with having varying levels of privileges that govern access to network resources is managing such user privileges for large numbers of network resources, such as devices or applications. For example, when multiple instances of a particular software application are added to a network, a network administrator may be required to add each individual instance of the software application into an authentication/authorization schema such that each software instance is tied to an association object that ties that software instance to particular users and the appropriate privileges assigned to each user regarding that software instance. This process may be time consuming, expensive, and otherwise difficult to manage.