[security-dev] PicketLink IDM Relationships and SASL Authorizations

[Darran Lofthouse]

Within SASL there is a capability where during the authentication phase 
the agent being authenticated can request that subsequently they want 
the authorization privileged of another agent.

The loading the identity of the agent being requested is fine but at the 
moment I am looking within PicketLink IDM at how this one agent being 
able to run as another agent can be modeled.

I can see using a custom relationship how it should be fairly easy to 
model a 1:1 mapping of users that an 'impersonate' each other but I have 
a few additional scenarios that could also be needed so wanted to look 
for ideas on how to support all of these simultaneously.

  - A single agent can impersonate a single agent.
  - A single agent can impersonate any user that is a member of a 
specified group.
  - A member of a specific group can impersonate a single agent.
  - A member of one group can impersonate an agent of another (or same) 
group.

As mentioned in IRC over the last couple of days having some form of 
permissions check API in the IDM for the non AS processes feels like it 
would fit this really well - however at the moment I can perform this 
check outside of any permissions API so just looking for ideas how it 
could be achieved.

Regards,
Darran Lofthouse.