In some computing environments, there are many types of machines, products, and services. These entities may be managed by multiple administrators who have overlapping and non-overlapping spans of control. For example, in some cases, an administrator may be responsible for all installed software and services for a certain set of machines in a particular location, and in other cases, an administrator may be responsible for a specific product and services regardless of where the machines might be located. For example, a first administrator may be responsible for all machines in a particular building, whereas a second administrator may be responsible for the configuration and maintenance of all database servers, regardless of location. This may lead to conflicting intent when it comes to policy and desired state.
When there are large numbers of machines and many administrators trying to establish their intent, or “policy,” the resultant configuration of any given machine is very often not known. This gives rise to a very undesirable state of affairs, since a given machine may inadvertently have acquired an untenable, unsafe, or unsecure configuration.