1. Field of the Invention
The present invention relates to the field of access control and rights management for electronic content and more particularly to access control and entitlement determination for hierarchically organized content.
2. Description of the Related Art
Content drives the utility of a computer program. No matter the nature of the computer program, generally, a computer program accesses content, manipulates content, presents content and stores content. Much attention during the development of a computer program focuses on the efficient storage of content. With the advent of vast multi-user computing applications distributed over the global Internet, however, substantially greater attention has been placed recently on access control to content accessible by multiple different end users.
Access control refers to the restriction of access to content based upon a number of factors that may include the nature of the content sought for access, the identity of the user seeking access to the content, or the role of the user seeking access to the content. Early attempts at access control embedded the access control logic in direct connection with the program code providing access to content. Even for the most ordinary application, however, creating and maintaining a consistent access control scheme across a vast code base can be difficult and ill advised. As such, at present, it is preferred to define an entire data structure for permitting or restricting access to different content in a multi-user computing application, such that every attempt to access content in a computing application can refer to a central access control list (ACL) in order to determine whether or not to grant the specified type of access to particular content in the computing application.
The management of access control, in of itself, can be computer resource intensive process. In this regard, while a certain degree of resource consumption is expected during the execution of the core logic of a computing application, the additional overlay of access control can provide a further degree of resource consumption. So long as the degree of resource consumption does not compare to that of the computing application itself, the benefit of access control can outweigh its costs. However, where resource consumption for access control becomes noticeable in the operation of a corresponding computing application, one must consider whether access control is feasible.
Notably, resource consumption due to access control can be quite noticeable when applying access control to hierarchically organized content. Generally referred to as a “tree”, a hierarchically organized set of content can include a selection of nodes arranged hierarchically from a single root to many different leaves leaf via branches and sub-trees as it is well known in the art. When addressing access control for hierarchically organized content, the core concern is the determination of access rights for an authenticated user one node based upon access rights afforded to the authenticated user in connection with a parent node.
Traditionally, developers have approached the problem of access control for hierarchically organized content either by storing all implied access control information for each node in connection with the node in the data structure supporting the hierarchically organized content. Specifically, instead of populating an ACL table with only entries explicitly granted at nodes within a tree, the implication of a new access grant can be determined for what the access grant implies at descendant nodes. The amalgamation of the determined access grant and its implications can be placed as an entry in the ACL table. To do so, however, can require the storage of substantial data in the ACL table as the ACL would store all explicit and implicit rights for every user and group for all access to the tree. Maintaining the accuracy of the access information then becomes difficult as inevitable changes in access control rights occur. Some of these changes may result in many changes to the ACL table within the data store.
As another approach, developers programmatically iterate through all child nodes of a selected node in order to perform an access control check for the selected node. This approach involves using the base tree information to retrieve all children of the node and then, for each child, performing an access control check using the information in the ACL table. This algorithm uses much of the same logic to determine what access a user has on a child node, but introduces a new multiple into the performance equation—namely the number of children. Thus, for large trees, the number of children can be very large, and performance degrades linearly as the number of children increases.