• United States

The hierarchy

Feb 19, 20034 mins
Access ControlEnterprise Applications

* The hierarchical nature of directories

I spent last week in Phoenix at the first Directory Experts conference for eDirectory put on by Netpro – and a well done conference it was. It also meant I got to spend a lot of time with Novell’s “Four Horseman” of eDirectory – the cheerleader (Justin Taylor), the rev (Ted Haeger), Mr. T (Ivan Hurtt) and the beet digger (Loren Russon). While much of the talk was about current eDirectory technology, there was a bit of blue sky concerning the future of directory services, identity management and what they can do for you.

One proposal that caught my fancy had to do with the hierarchical nature of the directory.

All modern directories are hierarchical, starting at the root and flowing down through branches and containers to leaves. Leaf objects are named according to their position in the hierarchy. This was declared in the x.500 spec 20 years ago, and it has always been followed. The design of the tree, the shape of the hierarchy, can determine not only the efficiency of the directory but also what you can actually do with it.

Frequently, application developers must request an external index of the objects in the tree in order to effectively use the information that it stores. Maintaining most large trees creates a structure, which most closely resembles San Jose’s famous Winchester Mystery House (, with its myriad of stairways leading nowhere and windows that have no view. But suppose we could maintain multiple hierarchies at the same time?

I first broached this subject last July (see editorial links below) when I shared the thoughts of Michel Prompt, Radiant Logic’s founder and CEO on what he called “virtual schemas”. Prompt’s idea is that the context in which we view the directory hierarchy (its structure, based on its schema) changes so the schema should be flexible enough to change with it. Novell’s idea is to recreate the datastore, perhaps as a very flat space, with a virtual hierarchical structure that changes depending on your need.

Here’s one example of how this can work in practice. Many people need access to the enterprise’s resources from multiple locations – at a desk inside the firewall, from a PC at home, from a laptop on the road or from a PDA almost anywhere. Today, we have to laboriously construct different scenarios to insure both the user’s access and the enterprise’s security. People outside the firewall generally have lower security so should get lower access. People using a PDA, on the other hand, have different user interface needs than those connecting from a laptop or desktop. The hierarchical structure of the directory allows rights and privileges to flow down to users, but having a single hierarchy means this flow is designed for only a single scenario – usually for users who access the network from a desktop in their office or cubicle.

But suppose the hierarchy could be viewed differently based on who the user was, where they were accessing the network from and what platform they were using? Instead of reams of policies, hundreds of lines of “if…then” coding and filters for each resource based on every possible contingency, suppose you could create separate hierarchies based on the combination of who-what-where? Not only does it make the network manager’s job easier but it also increases the security of the enterprise because there are fewer points of failure (one policy instead of 50, for example). Radiant Logic can talk to you about this right now, Novell wants to talk to you about it in the very near future and other directory vendors should be getting ready to talk to you about it because this is were we’re headed with identity management.