As computer systems become more sophisticated and interconnected, and as they are increasingly integrated with other non-computer devices, there is a greater need to define a user's permitted access to particular services and resources.
For example, the growth of Internet-based distribution and e-commerce has spurred both large and small companies to seek new ways to share information with customers and trading partners. Computer systems designed to permit connectivity must also include security features to prevent access to the systems by users who are not authorized to have such access.
Prior art techniques available for securing computer networks include firewalls, and extranet security products (web specific security products).
Firewalls are hardware and software barriers that are installed between an internal network and the Internet. While firewalls provide networks with a tough external barrier, if used without other security measures, firewalls leave the network vulnerable once the firewall has been breached. In addition, firewalls typically do not provide a fine-grained level of security and therefore cannot provide different individual users with access to different sets of specific resources.
A solution to this problem of differential access is the implementation of extranets to provide fine-grained security for business-to-business relationships over the Internet. Extranets are designed to include differing security policies for partners, suppliers and customers. In theory, this should make the extranet solution more flexible than the traditional firewall.
However, extranets are typically limited by only providing security for Web server based resources on a network and are often only available to users accessing the network from the Internet. Since most networks contain more services or resources than just Web servers, it is advantageous to provide a solution to permit secure access to additional resources such as SQL databases, file archives and software archives by both internal and external users. Computers may also be used in conjunction with magnetic card readers and biometric readers to control access to such non-computer resources such as parking garages and photocopiers. In such a computer system, controlling access to non-computer resources is analogous to controlling access to resources that are provided within the computer system itself.
As computers are tied together using local and wide area networks, and over the Internet, the potentially large number of different services and resources available to a potentially large number of users, makes it difficult to provide for the simple definition and presentation of the access rules for those users, services and resources. Prior art systems permit the definition of security policies for given specific resources and services. Such systems do not, however, provide a simple mechanism for defining and reviewing the security policies. In such prior art systems, the security policies for resources in the system are defined on a one-by-one basis. Such an approach becomes cumbersome and inefficient when setting the security policies for large numbers of users, services or resources.
It is therefore desirable to have a security service for a wide variety of resources and services available on a defined computer network and that will include the necessary scalability and flexibility to support different network configurations, resources, and security requirements. It is desirable to have a security service permitting the access rules for the different users, resources, and services to be clearly shown and simply defined and to be modified by the use of an appropriate user interface.