Delegated administration is the process of distributing various administrative tasks to one or more administrators. As computer systems and networks become larger and more complex, and as companies become larger and offer more services over the Internet, a central administration model is no longer viable. Delegated administration addresses this issue by delegating or distributing any of a number of administration tasks to any number of administrators. Delegated administration allows one to confine to each administrator the tools, tasks and data that are restricted to specific domains within a hierarchy—as opposed to a non-delegated environment that exposes each administrator to a potentially overwhelming number of tools, tasks and amount of data without restriction.
Delegated administration is useful because it enables a company to organize its administration framework according to its business environment, because one can control and allocate administrative tasks, and because it helps to manage large-scale implementations. Nevertheless, certain aspects of delegated administration can be improved upon.
FIG. 1 illustrates a prior art representation of users within a company organized in a tree structure 10. In this simple example, users are organized by department (or groups) and all users are managed as a single domain. A single administrator is responsible for managing the entire company with the effect that it might take a long time to process certain requests related to a user, and the administrator processing the request might not understand the particular business requirements of one of the departments. Shown is a user 12 associated with an event 14. Event 14 may be any of a wide variety of events, data or attributes associated with a particular user. In this simple example, event 14 is an e-mail message that user 12 has received.
FIG. 2 illustrates a prior art representation of the same users organized in a tree structure 50 that is divided into domains 60 and 70. In this example, the concept of delegated administration is used to manage the users. Administration of users in domain 60 is delegated to one administrator, while administration of users in domain 70 is delegated to another administrator. This delegated administration helps to better apply the business requirements of a particular group or department when performing user administration. Of course, delegated administration in real life is often much more complex, involving huge tree structures, many departments or groups, many types of events, and large numbers of domains and administrators. Certain queries that an administrator might need to perform within the tree structure can be time consuming.
For example, in a delegated administration environment one of the administrators should only be allowed to view e-mail messages corresponding to users within that administrators own domain (i.e., any number of departments or groups). It can be very time consuming for the system to determine whether an administrator can view message 14 corresponding to user 12. For an administrator who logs in to the system corresponding to tree structure 50, the system must first determine to which group user 12 belongs and then match that group to any of the groups that are managed by the administrator. This procedure must be performed on each e-mail message.
A typical e-mail message log contains a record of the recipient of the message (for example, user 12). When one of the administrators (having been delegated responsibility for any number of groups within structure 50) logs into the system and requests to view all relevant e-mail messages, a backend program of the system must sort through the users, groups and e-mail messages to determine which messages the administrator may view. The typical computing time for one e-mail log entry includes determining to which group the user belongs based upon the e-mail log (time 1), plus matching this group with any of the groups that are part of the administrator's domain (time 2). The first time segment (time 1) depends upon the total number of e-mail addresses within the organization, and the second time segment (time 2) depends on how many groups for which the administrator is responsible. If the total number of e-mail log entries within the organization is N, then the total computing time for this request by the administrator is N*(time 1+time 2).
Other prior art techniques for implementing delegated administration and for performing such requests leverage LDAP. The Lightweight Directory Access Protocol is a set of protocols for accessing information directories and is a simpler version of the X.500 standard. LDAP is a sibling protocol to HTTP and to FTP and its functionality is very powerful, but it can be time consuming to obtain a query result, especially for large amounts of data queries.
Accordingly, a system and technique are needed to allow event queries on hierarchical groups to be performed efficiently in the context of delegated administration.