Administrators granting users access to resources may need to manage complex policies defining user access rights. One challenge administrators typically face is determining the impact of applying a complex policy to requests from a group of users. Additionally, an administrator may set an access control policy for a group of users but not know how that access control policy will impact users in the group who may belong to other groups having additional or conflicting requirements. One solution is to manually log in as each user with the created access control policy in place and determine the impact of the policies on the user. This is an unrealistic solution for administrators managing complex access control policies for large groups of users. Another solution is for the administrator to use a tool allowing the administrator to preview the results of applying a rule to one or more user requests for access, conventionally referred to as a Resultant Set of Policy (RSOP) tool. RSOP tools typically provide the administrator with a list of resources available to one or more users after the application of the rule.
However, RSOP tools are typically limited in functionality and scope. Not all resources that are available to users are necessarily supported by any one tool and an administrator may need several RSOP tools to determine the true impact of a policy on a set of users. Additionally, RSOP tools do not conventionally provide all of the information an administrator needs to understand a resultant set. For example, these tools typically list one or more resources to which access is allowed or denied for one or more users but do not typically explain how the tool made that determination or what the administrator would have to change in order to allow or deny additional resources or make exceptions for particular users. Furthermore, these tools typically do not allow for interactive use by an administrator or for the dynamic generation of a resultant set.