Technological advances in microelectronics, digital computers, and software have resulted in a proliferation of computer networks. In such networks, computers telecommunicate between each other and share information, applications and/or services. One type of computer network employs a client/server architecture, wherein the portions of network applications that interact with human users are typically separated from the portions of network applications that process requests and information. Often, the portions of an application that interact with users or access network resources are called client applications or client software, and the portions of an application that process requests and information are called server applications or server software.
One mechanism to maintain and access information across a network of computers is a distributed directory, such as Novell Directory Services, which is based on the X.500 network services protocol developed and published by the CCIT and Open Systems Interconnection Consortium. Usually, a distributed directory spans and is shared by multiple networking servers. Information on the distributed directory can be created, read, modified, and shared by network clients who have applicable access rights across the plurality of servers.
The distributed directory contains a collection of objects, sometimes referred to as identities, with associated attributes or properties. For example, an object named "Computer" may have associated properties such as "Owner", "Operator", "Status", etc. Each associated attribute has a value. For example, the value for the property "Owner"might be "George.ACME". Often, objects in the distributed directory and their names represent things that humans relate to when dealing with computers. For instance, some typical objects might represent users, printers, print queues, files, resources, computers, and the like. In addition, objects can represent non-computer related things such as countries, companies, organizations, departments, buildings, and the like. Furthermore, objects can be organizational in nature to group other objects together. As one with ordinary skill in the art will readily appreciate, objects can represent virtually anything, whether imaginary or real, and are not limited to the context of a distributed directory.
Typically, the objects within a distributed directory are viewed by a user in a hierarchial structure, generally in the form of a tree, where the branches and leaves represent objects. The distributed directory can additionally be organized in partitions, with each partition comprising a plurality of objects organized as a subtree. Multiple replicas of the partitions are stored across the network, wherein each insular server holds a unique set of partitions and therefore a unique set of objects within that insular machine. Throughout the network, however, the overall hierarchy of the distributed directory is preserved.
Access to network resources and objects can be regulated to preserve security. This is particularly desirable as networks become larger and hold more important information. Three examples of network security include physical security, login security, and directory security. Each of these examples of security regulate access to a network and its resources, and can be used independently or in conjunction with one another, or with other forms of security. As the name implies, physical security refers to limiting physical access to a given network resource. For instance, servers in a client/server network are often maintained in a locked room with limited access. As a further example of physical security, a file server console or a workstation can be locked requiring a password or key to access or utilize the server or workstation, respectively.
Login security can vary greatly from one computer system to the next. One form of login security comprises a login phase and an authentication phase. The login phase typically involves prompting a source (such as a user, a program, a resource, etc.) which is attempting to enter the system for a name and a password. After successfully proving knowledge of the password, the source receives an encrypted private key from a server. Next, a credential is used in conjunction with the private key to generate a signature. In the authentication phase, the public key of the server is read by the source. The signature and credential generated during the login phase is used to create a proof which is sent to the server. The proof is verified by the server through a computation using the source's public key stored in the source's object. If the proof is correct, then authentication is successful and the source is allowed access to the system. After successfully completing the authentication phase, the source has "logged in"the system and is represented by an object identity on the distributed directory. The login phase is typically performed only once. However, if, for example, a connection needs to be made to other network servers, the authentication phase can be repeated through a process known as background authentication. This involves subsequent verification by servers using the proof and the public key without additional intervention by the source.
Directory security is usually used in conjunction with login security, where directory security is not used unless login security has been first verified. While directory security can vary greatly, it generally comprises two parts: file system security and object security. File system security provides access control to files and directories, and basically involves assigning trustee rights and file/directory attributes. Trustee rights assignments can be granted to any object in the distributed directory including container objects, user objects, group objects, and organization roles. Examples of such rights include access control, supervisor, read, write, create, erase, modify, and file scan. In contrast, file/directory attributes control what actions can or cannot be taken on a file or directory. For example, certain files could be flagged as "read only" and "shareable" to prevent any unintentional or intentional deletions of such files or directories.
On the other hand, object security provides access control to directory objects and associated operations. Object security generally includes object rights, property rights, and access control lists ("ACL's"). Object rights are granted to a particular object to access or manage another object. Examples of such rights include supervisor, browse, create, delete, and rename. In contrast, property rights enable a trustee to view or change the values of a particular object's properties. A trustee could have rights to certain properties or to all properties of a particular object. For example, the supervisor property right over an object grants supervisor privileges for all properties in that object. All other rights assignments made at the object level, however, are not affected by the property rights. In fact, supervisor rights at the property level do not grant supervisor rights at the object level. Only the reverse is true. The ACL is a special property of every object, which contains trustee assignments for an object and its properties. Typically, an ACL is a tabulated property containing three entries: the trustee ID, the type of access (i.e. object or property), and the actual rights assignment. A user object, for example, with the write right to the ACL of another user object has what is known as "managed rights" over the user object. This means that an object with the write right of an object ACL can make any rights assignments to that object.
A principle known as "least privilege" teaches that a source should have no more rights than is needed. By following this principle, accidental or malicious injury to a secured system can be reduced. However, in certain circumstances it is desirable for a source to have extra rights or to borrow the rights of an object, thereby acting as a proxy of that object. However, existing computer systems and distributed directories do not provide for a source to act as a proxy for such objects.