1. Technical Field
The present invention relates to hierarchical systems, and more particularly to a system for representing and determining relationships between entities in a hierarchy.
2. Discussion
Systems and organizations are frequently hierarchical in their structure. Computer systems designed to interact with such systems and organizations must reflect their internal hierarchy. For example, access to a computer system could reflect the hierarchy of the organization to ensure not only that persons have sufficient access and system capability to perform their required job functions, but also to restrict their ability to access and control areas of the system outside their job functions. As a result, individuals at high levels in the corporate hierarchy would be able to access and control broad areas in the computer system commensurate with their job responsibilities; while lower level employees would have a restricted ability to access and control. Further, it is desirable to restrict even higher level employees' ability to interact with areas outside of their responsibilities. For example, individuals in the manufacturing branch of a hierarchy should not ordinarily have access to payroll and vice versa.
To meet these objectives, a number of computer security systems have been developed. Such security systems may be integrated as part of an operating system or may comprise an additional piece of software used as an adjunct to an existing operating system. Examples of the former include the network operating system called Netware, sold by Novell, Inc. of Provo, Utah; and examples of the latter include RACF, sold by IBM Corporation, CA-TOP Secret and CA--ACF-2, both sold by Computer Associates, Rosemont, Ill. These kinds of security systems, in general, can be used to define each individuals' position in a hierarchical organization and define his access and control to a limited sphere within the hierarchy.
Unfortunately, existing security systems have a number of limitations. Generally, determining relations between entities in a hierarchy in computer security systems is accomplished by dynamically accessing the entity definitions to determine their relative positions within the hierarchy. This causes a traversal of the hierarchical structure each time the relation between entities is required.
The dynamic method of determining hierarchical relations is costly in terms of processing time and resources. This is due to the method used to determine it, which involves retrievals of multiple entities defined to the hierarchical system each time their relation needs to be determined. (In effect, a traversal of the structure) Also, since entity definitions are local to the system where they are defined, this dynamic method does not provide the ability to decentralize or remotely determine a relation. As a result, it is not possible to administer the security product without duplicating the security definitions at a remote site. Further, it is not possible to administer the security product without having the security product installed.
In addition, with the dynamic approach, relationships are determined at the time an operation is being performed and it is not possible (or is very difficult) to generate reports detailing either the operations a particular entity can perform or that entity's scope of authority. Also, the overhead in a dynamic system is high because it requires the retrieval of the entity definitions throughout the hierarchy each time the relationship is determined.
Alternatively, a static method might be used to store the relationships between entities. However, this method would probably require maintaining tables or lists that contain the relationship of each defined entity to all other entities. Unfortunately, the amount of information stored would be large due to the number of permutations possible between even a small number of defined entities. While this method might allow for easy determination of the individual relationships, it does not allow for a concise representation of the structure itself.
Thus, it would be desirable to provide a simple method of determining the relationship between entities in a hierarchy. It would also be desirable to provide such a method which can determine the hierarchical relations without involving the security product each time the relation is required. It would also be desirable to provide a system which permits decentralization to allow determination of hierarchical relations at a remote site without requiring access to the security product. It would also be desirable to provide a mechanism for determining such relations to make possible an easy method of providing reports detailing the operations a particular entity is able to perform and the scope of an entity's authorities. Further, it would be desirable to provide a system with the above features which operates quickly and uses a minimal amount of computing resources and without invoking the security product each time hierarchical relations are needed.