1. Field of the Invention
The present invention relates in general to the field of information handling system networks, and more particularly to a system and method for querying a Directory Service for information handling system user privileges.
2. Description of the Related Art
As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
Information handling systems often interact with each other and with peripherals through networks, such as Ethernet-based wire line networks or 802.11-based wireless networks. Businesses have found that networking information handling systems improves productivity by better managing information for the coordinated activities of employees. Often, business networks become quite large, supporting a substantial number of users across multiple servers and multiple locations. Typically, different users are provided with varying levels of access to network resources by defining specific privileges associated with each user. For instance, privileges define information approved for access by a user, such as sensitive business information having access limited to executives, officers or directors of the business, or sensitive personal information having access limited to human resources personnel. As another example, privileges define actions approved for access by a user, such as approval to set and alter system configurations limited to information technology administration. Often varying groups of employees are assigned varying privileges so that a given network user may belong to several groups with each group having one or more associated privileges.
One difficulty with having varying levels of privileges that govern access to a network is managing the users or groups of users associated with each privilege. Typically, user privileges are tracked in a network privilege directory database, such as the ACTIVE DIRECTORY database from MICROSOFT. A user who seeks to access a privilege through a network has the access confirmed through user privilege data stored in the network privilege directory. However, local configuration of user privileges presents a substantial network management challenge of keeping up with employees who join and leave a business and tends to detract from the convenience of a common directory database for controlling user accesses. In particular, defining cross-domain user groups is difficult, often requiring re-creation of user groups in each domain, a costly and time-consuming process. An alternative is to define universal groups that work across domains, however, defining and maintaining universal groups of users for more centralized management of network accesses also faces difficulties. For instance, universal groups replicated to an ACTIVE DIRECTORY Global Catalog causes bloat and requires that any changes to user access privileges be replicated to the global catalog before becoming effective, presenting security problems until replication is complete. For this and other reasons, information technology administrators tend to avoid using universal groups.
Therefore a need has arisen for a system and method which queries a Directory Service for an information handling system user privilege to access a network product.
In accordance with the present invention, a system and method are provided which substantially reduce the disadvantages and problems associated with previous methods and systems for managing user privileges for access to a network with an information handling system. A server administrator queries a privilege directory to determine whether a user request to access a product is allowable. The server administrator retrieves association objects for the requested product, determines whether the requesting user is tied to the retrieved association objects and allows access by the user to the product if association objected tied to the product and the user has the privilege to access the product.
More specifically, an information handling system network communicates information across plural domains between server and user information handling systems. An open managed server administrator associated with a product of a first domain approves or disapproves access to the product by users of the first or other domains by reference to a network privilege directory. The privilege directory has plural association objects, each object tied to a product or products, a user or group of users, and a single privilege. The server administrator receives a user request for access to a product and retrieves all association objects of the privilege directory that are tied to the product. The server administrator identifies each of the retrieved association objects that are tied to the requesting user and then allows user access to the product if a privilege tied to one of these association objects includes a privilege to access the product. The product may include a predetermined application, function or information.
The present invention provides a number of important technical advantages. One example of an important technical advantage is that access to products is managed locally from a centralized privilege directory to provide improved support for cross-domain user product requests. Privilege directory queries proceeding from the server administrator through the product instances to identify association objects provides a direct query route for locating user instances of the product and privileges associated with the user instances. Network administrators may use and reuse groups to define user privileges for multiple products, allowing for efficient network administration.
The present invention may be better understood, and its numerous objects, features and advantages made apparent to those skilled in the art by referencing the accompanying drawings. The use of the same reference number throughout the several figures designates a like or similar element.
Information handling system access to a network product is managed by a query from a server administrator associated with the product to a privilege directory to determine whether a requesting user has a privilege to access the product. For purposes of this disclosure, an information handling system may include any instrumentality or aggregate of instrumentalities operable to compute, classify, process, transmit, receive, retrieve, originate, switch, store, display, manifest, detect, record, reproduce, handle, or utilize any form of information, intelligence, or data for business, scientific, control, or other purposes. For example, an information handling system may be a personal computer, a network storage device, or any other suitable device and may vary in size, shape, performance, functionality, and price. The information handling system may include random access memory (RAM), one or more processing resources such as a central processing unit (CPU) or hardware or software control logic, ROM, and/or other types of nonvolatile memory. Additional components of the information handling system may include one or more disk drives, one or more network ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, and a video display. The information handling system may also include one or more buses operable to transmit communications between the various hardware components.
Referring now to
Referring now to
Referring now to
Although the present invention has been described in detail, it should be understood that various changes, substitutions and alterations can be made hereto without departing from the spirit and scope of the invention as defined by the appended claims.