1. Technical Field
The invention relates to a method of improving administration and management of services provided in a network. More specifically, the invention relates to defining groups of users who access network services, or are provided network services, in such a way as to determine membership only when the service is requested or about to be provided, and to determine this membership based on a flexible specification of user or object attributes.
2. Description of the Prior Art
Traditional methods of identifying groups of users who are to receive network services can be classified as follows:
A group may be comprised of a list of members belonging to the group.
A user may be identified as a member of a group by having a specific attribute with a specific value identifying the user as a member of the group.
Static Lists
The Unix file system supports a groups permission model to specify who may access various files (and directories.) Each file is owned by a specific user and group. To determine whether a user can access a file, the user must be identified as its owner or must be in the list of users who belong to the group which owns the file.
Electronic mailing lists are maintained to allow electronic mail to be distributed to all users who are listed as members of the list. Systems such as majordomo implement mechanisms to maintain membership in the list on a user-by-user basis.
Calendaring software, such as Corporate Time from Corporate Software and Technologies Int. Inc., supports specific groups of users who may modify the schedule to a room or network resource, or who may be invited to a particular meeting.
While all of the above groups may contain other groups, they all require specific maintenance of membership information about the group. Specifically, whomever is a member of the group to receive access or service must be explicitly listed in the group itself, or as a member of a group which is listed as a member. Each time a user enters or exits an organization, the user must be specifically added to all appropriate groups, or specifically removed from such groups. As the number of different groups in an organization grows, this can be a major administrative burden.
While removal of user names from all groups can be automated, it is more difficult to automate entering users in all appropriate groups. Typically, information about who should and should not be entered in a group is distributed throughout an organization, and services for a new user can be made available relatively haphazardly, depending on when the administrative entity responsible for each group learns about a user and their need for service. In the case of mailing lists, an information service (for example) may never be made available to a user if the administrator fails to know that the user is entitled to the information (such as a contractor working in a building may not be entered in the mailing list for people who work in the building because the contractor is not administered by the same entity as everyone else in the building.)
Group Attributes
An alternative method of identifying group membership consists of adding specific group identification information to the collection of information about a user.
An example of physical group attribute identification involves issuing an employee identification badge or key. The user can be granted a service or admitted to a building upon presentation of the badge or by using the key to open a lock. In this case, control of a user""s right to access requires providing or confiscating a physical token (the badge or key.)
Electronic badge sensor systems can now communicate to a centralized service to check whether the badge bearer can access a service or system. This access, however, is usually granted to a list of badgesxe2x80x94which is identical to the group list method described above.
In digital certificate technology, groups can be identified as those people possessing certificates that have been signed by a specific certification authority (CA). For example, all company employees may be identified as those who possess certificates signed by the company CA. There is no need to consult a static list to determine membership in the company (the CA""s signature is verified using algorithmic means.) While this is a very scaleable mechanism for identifying group membership it remains relatively rigid, i.e. the person is a member of the group or not.
It would be advantageous to provide a technique for defining groups of users who access network services, or are provided network services, in such a way as to determine membership only when the service is requested or about to be provided, and to determine this membership based on a flexible specification of user or object attributes.
The invention herein provides a technique, referred to as dynamic group membership, which is based on a more flexible model of specifying group membership. Specifically, a group member can be determined by whether the information maintained in a centralized directory service matches an arbitrary specification. Thus, instead of checking to see whether a user possesses a specific group attribute, dynamic group membership is determined by checking any user attribute.