Security levels are used to limit access to resources, such as applications, objects, and files, on a computer. The security levels for resources are assigned as a function of a computer's file system. Each resources requires a certain security level to be accessed, viewed or updated. Examples of the security levels, ordered from highest to lowest, are root/admin, super user, user, and guest. Thus, a database table may require “user” level access to read the contents, “super user” to change a table entry, and “admin” to delete the table. A user with a “guest” access level would not be able to even read the table. Assignment of security levels to resources and limiting user access to restricted resources is well known in the art.
Each server, computer, or logical partition on a network has its own file system. Because resources are distributed across different file systems, a “resource manager” is used to create a hierarchy categorizing the files, applications and other objects on the network. An “authorization engine” is part of the resource manager that controls access to each resource. The authorization engine uses the file system security levels for each component of the network. Because of the differences in security protocols between file systems, users of a resource on one file system on the network may have difficulty accessing another resource on another file system on the network.
Middleware is software designed to facilitate interoperability between different file systems on a network. IBM's WEBSPHERE Virtual Member Manger is an example of middleware. WEBSPHERE Virtual Member Manger and other middleware products use “access control engines” to overcome problems caused by different security protocols used by different file systems on the same network. An access control engine insulates applications from a resource manager by separating the authorization engine from the rest of the resource manager. The access control engine can, for example, supply a security proxy granting a user or an object access to another resource.
IBM developed a View Processor plug-in to WEBSPHERE Virtual Member Manger for displaying multiple views on the same set of organizational data. The View Processor works with WEBSPHERE Virtual Member Manger components, including the access control engine. The View Processor collects organizational data from repositories on each file system, then displays the organizational data in a uniform manner. The View Processor transforms the organizational data related to resources on a file system into a “delegated administration hierarchy.” Each resource on a delegated administration hierarchy can be represented by a delegated administration path, which describes the resource's physical or logical location in the delegated administration hierarchy. The View Processor allows network users or administrators to define custom organizational hierarchies that transcend the physical or logical locations on a file system. Custom organizational hierarchies allow resources to be categorized by how the resources interrelate independently from how or where the resources are stored on the network. Custom organizational hierarchies can organize resources by a business functional role or by a corporate reporting structure. For example, the Human Resources group of a company may need to access payroll data on a first server with a LDAP file system and may need to access time keeping data on a second server with a different file system. A custom Human Resources hierarchy can be set up that shows both the payroll and time keeping resources within the same organizational structure. A second example of a custom organization hierarchy could display a reporting view of an organization where the reporting hierarchy consists of managers and their employees.
Although access control engines overcome some of the limitations caused by native file system security protocols, access control engines are still limited by the defined organizational hierarchies of the underlying file systems. The access control engine must work within these predefined frameworks when assigning security proxies for granting access to resources on different file systems on a network. A need exists for a method to transform pre-defined organizational hierarchies of underlying file systems to a uniform custom organizational hierarchy, and apply the security protocols of the pre-defined underlying organizational hierarchy to the custom organizational hierarchy for use by an access control engine.