Computer systems are well known in the art and have attained widespread use for providing computer power to many segments of today's modern society. Computer systems such as personal computers (PCs) and servers may typically include a system unit having a central processing unit (CPU) and associated volatile and non-volatile memory, including random access memory (RAM) and basic input/output system read only memory (BIOS ROM), a system monitor, a CD-ROM or DVD-ROM drive, a data storage device (often a non-removable disk drive, also known as a “hard drive”), user input devices, and a network interface adapter. Computers systems typically include software such as computer programs in addition to the hardware. As advances in semiconductor processing and computer architecture continue to push the performance of computer hardware higher, more sophisticated computer software has evolved to take advantage of the higher performance of the hardware, resulting in computer systems that continue to increase in complexity and power.
Computer systems have thus evolved into extremely sophisticated devices that may be found in many different settings. Many organizations utilize server computer systems for more complicated tasks such as providing e-commerce websites, providing complex multi-user applications, maintaining large databases, or performing other resource-intensive tasks. Organizations with significant computing needs often have many servers performing a wide variety of tasks with the servers communicating with each other via a network such as a local area network (LAN). In these systems, individual users may interact with the servers to access various system resources, such as applications, databases, or other resources, so that the systems resources may be shared by multiple users.
Maintaining information security in a complex computing system is an increasingly complex task as more users and/or resources are added to a system, particularly when those resources are shared by multiple users. Information security provides the ability to restrict access to information or other resources to only those users who should have access to that resource. Modern information security systems often attempt to provide information security by combination of authentication or identity management (i.e., only providing access to the system to the appropriate users) and/or authorization (i.e., only providing access to information to authenticated users who are authorized for that particular information).
Currently, one of the more robust models for developing access controls to implement an authorization scheme is the role based access control (RBAC) model. In the RBAC model, users are assigned sets of zero or more roles which are each defined as zero or more permissions. A permission within the RBAC model consists of an object and an operation that may be performed on, in or with the object. The use of an RBAC model has proven to be effective in managing user privileges within a single system or application. More complicated systems with multiple applications or other more heterogeneous aspects, however, result in development of the RBAC model becoming more unwieldy and requiring significantly more time and effort to create.
The RBAC model has proven less effective for larger, complicated computer systems because defining particular roles—and their permissions—can be labor intensive and difficult. In large organizations, for example, determining roles and defining permissions can be very problematic. Most organizations do not have any individual or group that can clearly and adequately define even their own member roles, much less those of other individuals or groups. Under the current state of the art, role definition typically begins with a complex interview process and is followed by patient, tedious review of large tables of data to determine which permissions should be assigned to each role. In a hierarchical RBAC (HRBAC) where roles inherit permissions of their parents, the project becomes even more daunting as relationships between these roles must be carefully examined for their relationship. These problems can be exacerbated with dynamic organizations as changes to the organizational structure or responsibilities can result in inaccuracies in the RBAC model and thus necessitate additional model revisions. Accordingly, the creation of an HRBAC model of roles and relationships becomes a time-consuming and inefficient process using existing methodologies.