1. Field of the Invention
This invention relates to distributed computer systems and, more particularly, to condition defining data such as that used to control access to entries in a directory.
2. Description of the Related Art
In certain fields of technology, computer systems such as web networks include equipment and software of diverse types and having different manufacturers. This is true at both the hardware and the software level.
It is desirable that network users (“client components”) can access, upon query, to a large amount of data (“application software components”) making it possible for the network users to create their own dynamic web site or to consult a dynamic web site such as an e-commerce site on an multi-platform computer system (e.g., Solaris, Windows NT, AIX, HPUX). These queries are directed to a directory (e.g., an LDAP (Lightweight Data Access Protocol directory) and managed by a directory server. It is further desirable that this access be made possible rapidly for each query arriving after a first query.
Directories often have access control mechanisms to restrict access to certain portions of the directory. For example, some access control mechanisms may be designed so that regular users only have access to the information they need to know while other users (e.g., administrators) have access to larger segments (or all) of the directory. However, the access control mechanisms may have to be duplicated a large number of times (e.g., for each node in the directory), within a given directory structure. This may induce a supplementary load in many respects, including storage capability and the usual compromise in memory between data storage and program execution, in connection with the time needed for execution.
Thus, in a directory, one needs a way to control access to directory entries, entry attributes, and the value of those attributes. In existing systems (e.g., the X500 scheme), the values of attributes are protected using a ‘list of values’ scheme. A ‘list of values’ scheme may present certain problems such as an impractical and verbose definition of the protected attribute values in certain situations (e.g., where a range of attribute values is to be protected).