A model for authentication and authorization of users and applications that use network services. A client requests a ticket by providing credentials (user ID and password), e.g., over HTTP/SOAP/XML in the UDDI framework. An authentication adapter in a receiving server deserializes the request into a data structure that provides access to the security ID and password attributes, and passes these attributes to an ID management system to perform authentication. The credentials also determine the user's or application's privileges. The authentication adapter constructs a ticket object for the client incorporating the privileges and other information, e.g., the security ID and a date/time stamp. The ticket object is serialized, encrypted, encoded for transmission and inserted into an appropriately-formatted XML message and returned to the requesting client. The client attaches the authentication ticket to subsequent service requests that require authentication. To validate the ticket, the ticket object is reconstructed from the request data.

An administration model is provided that uses access control lists to define permissions for users and groups of users. The model identifies a number of objects to be administered. Associated with each of these objects is a set of administrative operations that can be performed on the object. For each of these operations a permission in an access control list entry is defined. The protected resources are arranged in a hierarchical fashion and an access control list can be associated with any point in the hierarchy. The access control list provides fine-grained control over the protected resources. At the time an administrator requests to perform an operation, the administrator's identification is used to look up the prevailing access control list to determine whether the operation is permitted.

A method for providing access control to a single sign-on computer network is disclosed. A user is assigned to multiple groups within a computer network. In response to an access request by the user, the computer network determines a group pass count based on a user profile of the user. The group pass count is a number of groups in which the access request meets all their access requirements. The computer network grants the access request if the group pass count is greater than a predetermined high group pass threshold value.

A system for providing group accessibility is provided. A representative resource list management system includes a group management system operable to store a resource list for a user, and a service manager operable to detect a status of a contact associated with the resource list. The resource list includes at least one group, the at least one group including a plurality of contacts. The service manager is operable to update accessibility of the at least one group in response to at least one of the plurality of contacts being accessible on a network. Methods and other systems for resource list management are also provided.

Network resource management systems are provided. A representative network update manager includes an updater coupled to a persistent database and to an administrative application residing on an application server and a memory operable to store a plurality of delayed updates. The network update manager is preferably operable to receive at least one update from the administrative application and subsequently update the persistent database. Methods and other systems for network resource management are also provided.