Within SASL there is a capability where during the authentication phase
the agent being authenticated can request that subsequently they want
the authorization privileged of another agent.
The loading the identity of the agent being requested is fine but at the
moment I am looking within PicketLink IDM at how this one agent being
able to run as another agent can be modeled.
I can see using a custom relationship how it should be fairly easy to
model a 1:1 mapping of users that an 'impersonate' each other but I have
a few additional scenarios that could also be needed so wanted to look
for ideas on how to support all of these simultaneously.
- A single agent can impersonate a single agent.
- A single agent can impersonate any user that is a member of a
specified group.
- A member of a specific group can impersonate a single agent.
- A member of one group can impersonate an agent of another (or same)
group.
As mentioned in IRC over the last couple of days having some form of
permissions check API in the IDM for the non AS processes feels like it
would fit this really well - however at the moment I can perform this
check outside of any permissions API so just looking for ideas how it
could be achieved.
Regards,
Darran Lofthouse.