1. Field of the Invention
The field of the invention relates to data processing. More specifically, embodiments of the present invention relate to allowing extensions to user policies for defining access to resources or services.
2. Related Art
Computer systems typically include a combination of hardware (e.g., semiconductors, circuit boards, etc.) and software (e.g., computer programs). As advances in semiconductor processing and computer architecture push the performance of computer hardware higher, more sophisticated computer software has evolved to take advantage of the higher performance of the hardware.
Other changes in technology have also profoundly affected how people use computers. For example, the widespread proliferation of computers prompted the development of computer networks that allow computers to communicate with each other. With the introduction of the personal computer (PC), computing became accessible to large numbers of people. Networks for personal computers were developed to allow individual users to communicate with each other. In this manner, a large number of people within a company could communicate at the same time with a central software application running on one computer system. As a result of sharing a software application with numerous users, policies are defined and enforced that control the access and use of resources, such as applications on a server system. Policies may protect other resources and services, as well.
Referring now to Prior Art FIG. 1, a block diagram of a generic server system 10 is shown. The generic server system 10 comprises a user 20 connected to a server 21 by a data connection 24. Typically, the user 20 will access an application 22 that is stored on server 21 over the Internet. In a corporate environment, the user 20 could be connected to the server 21 by an internal network, for example, an Intranet. In addition, server 21 stores a set of user policies in a database 23 for authenticating access to software application 22. Typically, the user policy database 23 comprises user names and associated passwords. When a user provides credentials to access secure applications, the credentials are checked against the stored values.
It may be stated that the policies determine who can do what to whom under what conditions. In the previous statement, the who may be, for example, a person, a service, or an application. The whom may be, for example, a resource or service to which access is sought. The condition may be, for example, based on time, class of user, etc. Only if the condition is met will the resource or service be made available.
Typically, organizations require a wide variety of policies, depending on factors such as the resource or service to protect and the user seeking access. For example, one set of user policies defined for a human resources server prevent other personnel from viewing confidential salary information and other sensitive data. Another set of user policies for an engineering server allow authorized personnel from many internal segments of a company to publish and share research and development information. Such user policies restrict external partners from gaining access to proprietary information while allowing access to the correct people inside an organization.
Clearly, organizations require a myriad of different policies to adequately protect their resources and services. Thus, it is beneficial to create user policies that are tailored for the specific environment. However, creating and managing the enormous range of user policies needed can be a hindrance to the performance of a server system because the server accesses a very large user policy database each time an application is accessed.
Moreover, it is very difficult to anticipate the policy that is best suited to protect the resource in question, when providing a system such as in FIG. 1. Hence, the most effective user policies cannot be put into place at the time the system is initially installed.
A still further concern is that organizations are constantly evolving. Hence a set of polices that were put into place initially may fail to provide adequate protection or may overprotect as the organization evolves.
Therefore, a problem with conventional methods of providing a policy system is that the policies that are delivered with the system may fail to be tailored to the user's requirements. A still further problem is that the system may require an enormous number of policies to cover the different conditions an organization may face and hence system performance may be poor. A still further problem is that it is impossible to anticipate an organization's present and future requirements and hence the policies that are first installed with a system may not be the most effective at protecting services and resources.