Computer systems often are used to manage and process business data. To do so, a business enterprise may use various application programs running on one or more computer systems. Application programs may be used to process business transactions, such as taking and fulfilling customer orders, providing supply chain and inventory management, performing human resource management functions, and performing financial management functions. Application programs also may be used for analyzing data, including analyzing data obtained through transaction processing systems. A business enterprise often may have a large volume of data and a large number of users who access data to process business transactions or to analyze data.
It may not be desirable for all users of a computer system to have access to all data in a computer system. This may be particularly true when a computer system has a large number of users, a large volume of data, or both a large number of users and a large volume of data. This also may be particularly true when a computer system is accessible to users or other computer systems over a private or public network.
One approach to preventing access to some portions of data by some users while permitting access to the portions of data by other users is to assign to particular users access privileges to particular portions of data. An access control list may be used to identify the particular users that are permitted access to particular portions of data. Creating and updating an access control list so that the access control list accurately provides access to the appropriate portions of data to the appropriate users may be a burdensome and time-consuming process. One approach to reducing the burden of managing access control information is to use an access control list that provides users access to particular portions of data based on a user attribute that is shared by many users (rather basing access on a user identifier that is unique to each user).