Access control in a computer system

We claim: 1. An apparatus for a network node in a computer network comprising hosts accessible by directory users using a user information directory for accessing the hosts, wherein user identity information of the directory users is maintained in the user information directory as members of at least one directory user entity, wherein the user information directory maps user identity information of access requesting directory users to the at least one directory user entity, and wherein the directory users access the hosts as members of the at least one directory user entity, the apparatus comprising: at least one processor, and memory for storing instructions that, when executed, cause the network node to centrally, and separately from the user information directory, manage information for configuring attribute based filters for a plurality of hosts for attribute based filtering of access requests by the directory users to the plurality of hosts, wherein: an access requesting directory user is defined in an access request as a member of the at least one directory user entity based on a mapping, by the user information directory, of user identity information of the access requesting directory user to the at least one directory user entity, two or more hosts share an attribute based filter configuration provided by a separate entity from at least one of the two or more hosts, and the attribute based filter configuration shared by the two or more hosts provides a separate attribute based filtering of the access request based on a membership of the access requesting directory user to the at least one directory user entity, wherein the apparatus is configured to require a key for granting a requested access to at least one host in addition to user specific filtering information stored in a memory. 2. The apparatus according to claim 1 , configured to manage the attribute based filters based on two matrices, wherein a first matrix is configured for mapping hosts to sets of filtering rules and a second matrix is configured for mapping the sets of filtering rules to at least one of a directory, an attribute, and a user. 3. The apparatus according to claim 1 , configured to collect configuration information of the attribute based filters for filtering access requests by the directory users and maintain the collected configuration information separately from the user information directory. 4. The apparatus according to claim 1 , further configured to control access of the directory users to one or more hosts by filtering access requests containing user identity information of a requesting directory user, wherein the filtering is based on directory user specific filtering information stored in a memory for controlling access of individual directory users to the one or more hosts. 5. The apparatus according to claim 4 , wherein the user identity information of the requesting directory user is arranged to indicate a user defined in the user information directory. 6. The apparatus according to claim 4 , wherein the user identity information of the requesting directory user is arranged to identify the user information directory where a user is defined. 7. The apparatus according to claim 1 , wherein the key is an identity key arranged for authorizing a user to access a host having a corresponding authorized key configured as an access granting key. 8. The apparatus according to claim 1 , further configured to use information about at least one use of the key, wherein the information about the at least one use of the key comprises information of at least one of: time of use or times of use of the key, identity of at least one host on which the key has been used, identity of at least one host to which the key has been used to authenticate a user, or identity of at least one user for whom the key has been used for authentication. 9. The apparatus according to claim 1 , further configured to use information of authentications or logins as an indication of a directory user. 10. The apparatus according to claim 9 , wherein the information of authentications or logins comprises at least one of: an indication of at least one time of authentication or login, an indication of a time of last authentication or login, at least one identification of a Secure Shell protocol key used for at least one authentication or login, or at least one identification of a host from which at least one authentication connection was made. 11. A method for managing access information in a computer network where hosts are accessible by directory users using a user information directory for accessing the hosts, wherein user identity information of the directory users is maintained in the user information directory as members of at least one directory user entity, wherein the user information directory maps user identity information of access requesting directory users to the at least one directory user entity, and wherein the directory users access the hosts as members of the at least one directory user entity, the method comprising: managing, centrally by a network node, for a plurality of hosts, in a storage, and separately from the user information directory, information regarding configuring of attribute based filters for attribute based filtering of access requests to the plurality of hosts by the directory users defined as members of the at least one directory user entity, wherein: the access requesting directory users are defined in the access requests as members of the at least one directory user entity based on a mapping, by the user information directory, of the user identity information of the access requesting directory users to the at least one directory user entity, two or more hosts share an attribute based filter configuration provided by a separate entity from at least one of the two or more hosts, and the attribute based filter configuration shared by the two or more hosts provides a separate attribute based filtering of the access requests based on memberships of the access requesting directory users to the at least one directory user entity, wherein an apparatus for the network node is configured to require a key for granting a requested access to at least one host in addition to user specific filtering information stored in a memory. 12. The method according to claim 11 , comprising maintaining the information regarding the configuring of the attribute based filters in two matrices, wherein a first matrix maps hosts to sets of filtering rules and a second matrix maps the sets of filtering rules to at least one directory, attribute, and user. 13. The method according to claim 11 , further comprising collecting configuration information of the attribute based filters for filtering access requests by the directory users and maintaining the collected configuration information separately from the user information directory and the plurality of hosts. 14. The method according to claim 13 , wherein the collecting comprises scanning the plurality of hosts and/or monitoring traffic in the computer network. 15. The method according to claim 11 , comprising filtering access requests based on the information regarding the configuring of the attribute based filters for attribute based filtering. 16. The method according to claim 15 , further comprising: receiving an access request containing user identity information for a directory user, and controlling access of the directory user to at least one host by filtering the access request by an access request filtering entity based on the user identity information for the dir