Centralized directory services supporting dynamic group membership
First Claim
1. A method for use in connection with application and network services to provide a directory service that defines dynamic groups of directory members, the method comprising the steps of:
- defining a directory search specification for a dynamic group based upon user attribute information, where said dynamic group is any set of users in which membership is dynamically determined and in which groups of users are defined by said directory search specification;
evaluating said directory search specification at a service delivery time;
determining whether information maintained in a directory matches said directory search specification;
delivering said service to said dynamic group;
providing a directory server to maintain information about users; and
providing a messaging server that maintains information about groups in said directory server;
wherein when said messaging server sends a search specification to said directory server which causes said directory server to return a set of users or group objects; and
wherein said message server then causes said message to be sent to each of the users or groups returned by said search.
6 Assignments
0 Petitions
Accused Products
Abstract
A method whereby application and network services (such as access control and electronic mailing list servers) can use a directory service to define groups of directory members using a directory search specification evaluated at service delivery time (dynamic group membership.) Traditionally, network services have been delivered to groups of users defined in relatively narrow manners: either by keeping a list of all users who are members of the group, or by attaching specific group membership attribute information to the information maintained about each specific user. Dynamic group membership allows these services to be delivered to groups of users who can be defined by a completely arbitrary specification of user attribute information. For example, electronic mail can be sent to a group of users whose office was located in a certain building (specifically, whose office location attribute matched a specific value.) Another example is that users may be permitted to access a network service, such as a printer, based on whether the printer is in the same building as the user (specifically, whether the printer'"'"'s location attribute matches the user'"'"'s office location attribute).
-
Citations
25 Claims
-
1. A method for use in connection with application and network services to provide a directory service that defines dynamic groups of directory members, the method comprising the steps of:
-
defining a directory search specification for a dynamic group based upon user attribute information, where said dynamic group is any set of users in which membership is dynamically determined and in which groups of users are defined by said directory search specification;
evaluating said directory search specification at a service delivery time;
determining whether information maintained in a directory matches said directory search specification;
delivering said service to said dynamic group;
providing a directory server to maintain information about users; and
providing a messaging server that maintains information about groups in said directory server;
wherein when said messaging server sends a search specification to said directory server which causes said directory server to return a set of users or group objects; and
wherein said message server then causes said message to be sent to each of the users or groups returned by said search. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
providing a set of expressions and Boolean operations for use in a directory search.
-
-
3. The method of claim 2, wherein said expressions comprise any of:
-
equal=where an instance of the attribute exactly matches the value;
contains*which is used as a wild card to allow presence check, or partial matches;
sounds like˜
=which is used in name searches;
greater or equal>
=which is used for numerical comparisons;
less or equal<
=which is used for numerical comparisons;
an ‘
!’
operator which is used to negate any expression; and
‘
&
’
(and) and ‘
|’
(or) operators which are used in combining expressions.
-
-
4. The method of claim 1, wherein said dynamic groups may use any of a dynamic group filter and a tree structure in the creation of groups.
-
5. The method of claim 4, wherein said dynamic group filter provides set management by creating sets of members in said directory using said members attributes.
-
6. The method of claim 4, wherein said tree structure comprises parameters that are used to determine what portion of said directory tree to search.
-
7. The method of claim 1, further comprising the step of:
enumerating members of said dynamic group retrieving some piece of information on each group member.
-
8. The method of claim 7, wherein said group membership enumeration step further comprises the steps of:
-
reading said group;
retrieving membership criteria;
initiating a subsequent search based on said membership criteria is initiated; and
stepping through the results of said subsequent search to produce a membership list, along with any desired information for each member.
-
-
9. The method of claim 1, further comprising the step of:
verifying membership in said dynamic group.
-
10. The method of claim 9, wherein said verifying step further comprises the step of:
answering a query for a web page accessible only to members of a given group to ensure that a client requesting access is a member of said dynamic group in question.
-
11. The method of claim 1, further comprising the steps of:
-
examining a purported group member'"'"'s entry to determine if it is within the scope of said group'"'"'s membership criteria; and
searching said purported member'"'"'s entry with a filter corresponding to said group'"'"'s membership criteria;
wherein a successful return indicates group membership and an unsuccessful return indicates no group membership.
-
-
12. The method of claim 1, wherein each user is represented as an inetOrgPerson object;
- and
wherein a class of attributes mailRecipient object is combined with said inetOrgPerson object for a user to receive mail.
- and
-
13. The method of claim 12, wherein said mailRecipient attributes define information which identifies any of the name of a messaging server that stores a user'"'"'s mail, a user identifier used by said user to login to a messaging server;
- and electronic mail addresses that identify a specific user.
-
14. The method of claim 1, wherein a dynamic group may contain other groups.
-
15. An apparatus for use in connection with application and network services to provide a directory service that defines dynamic groups of directory members, comprising:
-
a directory search specification for a dynamic group based upon user attribute information, where said dynamic group is any set of users in which membership is dynamically determined and in which groups of users are defined by said directory search specification;
means for evaluating said directory search specification at a service delivery time;
means for determining whether information maintained in a directory matches said directory search specification;
means for delivering said service to said dynamic group;
a directory server to maintain information about users; and
a messaging server that maintains information about groups in said directory server;
wherein when said messaging server sends a search specification to said directory server which causes said directory server to return a set of users or group objects; and
wherein said message server then causes said message to be sent to each of the users or groups returned by said search. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
a set of expressions and Boolean operations for use in a directory search.
-
-
17. The apparatus of claim 16, wherein said expressions comprise any of:
-
equal=where an instance of the attribute exactly matches the value;
contains*which is used as a wild card to allow presence check, or partial matches;
sounds like ˜
=which is used in name searches;
greater or equal>
=which is used for numerical comparisons;
less or equal<
=which is used for numerical comparisons;
an ‘
!’
operator which is used to negate any expression; and
‘
&
’
(and) and ‘
|’
(or) operators which are used in combining expressions.
-
-
18. The apparatus of claim 15, wherein said dynamic groups may use any of a dynamic group filter and a tree structure in the creation of groups.
-
19. The apparatus of claim 18, wherein said dynamic group filter provides set management by creating sets of members in said directory using said members attributes.
-
20. The apparatus of claim 18, wherein said tree structure comprises parameters that are used to determine what portion of said directory tree to search.
-
21. The apparatus of claim 15, wherein members of said dynamic group retrieving some piece of information on each group member are enumerated.
-
22. The apparatus of claim 15, wherein membership in said dynamic group is verified.
-
23. The apparatus of claim 15, wherein each user is represented as an inetOrgPerson object;
- and
wherein a class of attributes mailRecipient object is combined with said inetOrgPerson object for a user to receive mail.
- and
-
24. The apparatus of claim 23, wherein said mailRecipient attributes define information which identifies any of the name of a messaging server that stores a user'"'"'s mail, a user identifier used by said user to login to a messaging server;
- and electronic mail addresses that identify a specific user.
-
25. The apparatus of claim 15, wherein a dynamic group may contain other groups.
Specification