A method of managing access to a network resource is provided. An access query generated by a user requesting access to one of a group of resources is received. In response, a directory schema is used to determine the privileges assigned to the user for accessing the resource. The directory schema includes an association object associating user objects representing multiple users, a resource group object representing the group of resources, and privilege objects representing privileges of users for accessing each of the group of resources such that the association defines the privileges of various users for accessing the group of resources. Determining the user's privileges for accessing the resource includes using a first link between a resource object representing the resource and the resource group object and a second link between the resource group object and the association object identify the association object, and using the identified association object to determine the privileges assigned to the user for accessing the resource. The determined privileges of the user for accessing the resource are then communicated to the resource.