摘要
There are many business needs for implementing delegation in IT (Information Technology) systems. However, existing approaches to delegation in IT systems are limited in their usability, flexibility, and capability to implement least privilege. The result is that delegation is either not implemented or is implemented informally (e.g., by sharing credentials [passwords or hardware tokens] between users), resulting in serious security concerns and a lack of accountability. This paper describes a methodology for delegation based on the persona concept. A persona is a special category of user that embodies only delegated privileges, and which is explicitly assumed only after the "real" human user taking on that persona explicitly chooses it, This paper describes the persona delegation framework in the context of a large enclave-based architecture currently being implemented by a major enterprise. The creation of a persona solves a lot of downstream problems by allowing the persona to be treated like any other entity in the system. That is, identity, authentication, authorization, and other security processes already know how to handle an entity of this type. Benefits of the framework include increased flexibility to handle a number of different delegation business scenarios, decreased complexity of the solution, and greater accountability with only a modest amount of additional infrastructure required.
