The widespread use of computer systems, especially within networked computing environments, has created many different classes of computer users and has created a need for access control systems to govern how users can access such computer systems. As an example, consider a local area network (LAN) computing environment such as a corporate computer network, commonly referred as an intranet. The intranet network may include various computing systems such as intranet file servers, intranet web-servers, departmental computer systems, database servers, and so forth. Each computing system allows users and/or software programs to create and maintain directories, files, databases, or the like within data storage systems such as one or more disk drives coupled to the computing systems. The storage systems may contain varying amounts and types of data. Various users may control and access the different computing systems at different times of the day or night.
In such a computing environment, access control is an important aspect of system design and provides controlled access to files or other resources within the computing systems. Most conventional computing systems operate using an operating system that provides certain basic access control mechanisms. Using such conventional access control mechanisms, a computer systems manager or administrator (a person responsible for maintaining the computer systems) can configure, for example, an operating system in a computer system to control how that computer system allows users to access various directories and files maintained under control of the operating system.
Unfortunately, there are deficiencies associated with the above-described conventional approaches to controlling access. For example, authorization creep or privilege creep is a problem that manifests itself when a user accumulates access rights over time resulting in the user having unnecessarily wide access privileges within the organization. This is a common problem in organizations when a user moves up or laterally in an organization due to the user accumulating new access rights in order to be able to meet the requirements of the new role. As will be appreciated, often previous access rights go unchecked, resulting in the retention of these rights. This can create security risks. For example, a user with excess privileges may be tempted to abuse them by accessing applications and data in an unauthorized manner. Also, if an intruder gains access to a user's account that possesses excess privileges, the intruder will also have those excess privileges. Both scenarios can result in data loss or theft. There is, therefore, a need to address this problem.