Modem data processing systems, particularly in a multi-user environment, employ access control measures to or otherwise manage access to resources available to the users of the system. These control measures may manage data access, event routing, and task authorization, for example. The set of rules that determine which users, or possibly groups of users, can access a particular resource with respect to these activities may often be referred to as “policies.” For example, referring to FIG. 1, there is shown therein an illustrative a multiuser system 100 in which a plurality of clients 102 are connected to a server 106 via network 110. Network 110 may be a local area network (LAN), wide area network (WAN) or the Internet, for example. It would be appreciated that the principles of the present invention to be discussed hereinbelow are not predicated on a particular network architecture. Server 106 may provide, for example, application services, exemplified by database management system (DBMS)108 and database (DB) 115 to clients 102, and data access, exemplified by FTP server 117 and file storage 119. (An artisan of ordinary skill would recognize that an FTP server is an application that enables users to download or upload files from a specified directory or group of directories using the F(ile) T(ransfer) P(rotocol), an Internet standard for the exchange of files.)
Typically, a policy may be associated with each resource identifier. For example, a file on a FTP server may be a resource that is available to users in accordance with a particular policy. In other words, the file may be accessible only to a limited class of users, such as, users who are registered licensees of a software product, for example. Thus, a file with a filename filename 1 in a directory named foo and a subdirectory of foo named bar would be identified by the pathname foo\bar\filename 1. In general, subdirectory bar may contain n files say filename 1, filename 2, . . . , filename n. Associated with each of these files may be a policy for managing user access to these files. However, subsets of files filename 1, filename 2, . . . , filename n may have the same policy. Similarly, with respect to system resources, generally, subsets, or classes, of resources, each of which is uniquely identified, may never-the-less, have the same policy associated therewith. Nevertheless, each resource is associated with a policy even though the policies may be the same for a multiplicity of the resources. Thus, there is a need in the art for a mechanism by which a multiplicity, or set, of resources in a data processing system may be associated with a common policy.