1. Field of the Invention
The present invention relates generally to data processing systems and in particular to user and resource authorization in a computer network. Still more particularly, the present invention relates to a method, apparatus, and computer program product for selectively and programmatically provisioning of resources in a computer network.
2. Description of the Related Art
Modern computer networks are large, complex, and contain a mix of hardware, software, operating systems, configurations, and vendors. It is useful to be able to control user access to network resources, such as the various hardware and software components of the network.
Typically, access to network resources is managed using role-based authorization mappings, in which a user's role in an organization determines which network resources the user may access. Network resources may be hardware, such as computers and printers, connected to the computer network. Network resources may also be software, such as application programs, installed on computers or servers connected to the network.
Role-based authorization mappings are used to authorize the user to access specific network resources, based on each user's role. In a role-based authorization mapping, different roles are defined, and each role is mapped to a set of network resources which that role is authorized to access. The process of authorizing a user to access network resources is called provisioning.
Computer networks are dynamic in nature. After a computer network is initially provisioned, new network resources may be added, and existing network resources may be removed. The dynamic nature of computer networks requires that the network administrator keep track of changes to the available network resources and make appropriate changes to the provisioning. For example, when a new resource is added to a network, the network administrator provisions the new resource so that specific users can access the resource. However, changes to the resources in a network typically require that the network administrator manually provision each new resource, which is tedious and time-consuming.