In a computer network where a variety of data, services and other logical objects are made available to a user population, security controls must be provided to regulate access. These controls balance protection for these objects against flexibility and ease of use by the administrators and end users. Users may also wish to limit the amount of identifying information which they must provide in order to gain access so that the quantity of their personal information transmitted over the network is minimized.
For an administrator, it is desirable that the security policies to be enforced be selectable by either type of object or for each object individually. Where necessary, different levels of security should be available, and easily configurable, to match a wide range of needs. Redundant information and duplicate effort should be minimized.
For an end user, it should be easy to gain access to a secured object and the experience of gaining access should be uniform across all objects. Where multiple methods are available, the user should be presented with a choice of which to use.
For all users, the methods used to control access should reflect the real world. Where the user is a member of a work group with similar needs, that group should be available to identify those users and their access rights. Where similar groups are applicable across a variety of objects, all of those objects should be able to reference the same logical group and see membership changes at substantially the same time. Further, access control should not be limited to a single concept such as groups. Existing, and new, concepts and rules used by one service or application should be available for use with other protected objects.