Browse Prior Art Database

System for augmenting web access with delegated permissions of another user Disclosure Number: IPCOM000236156D
Publication Date: 2014-Apr-10
Document File: 7 page(s) / 102K

Publishing Venue

The Prior Art Database


This article outlines a system for augmenting web access with delegated permissions of another user

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 30% of the total text.

Page 01 of 7

System for augmenting web access with delegated permissions of another user

In deployments where privileged users are required to act on behalf of another user, technology solutions do not exist that consider the combined privileges of both users. A clear example of where such a problem exists is within a standard IT help desk situation, where debugging a problem may require a help desk to assume full permission of the end user, at any time and for any period. This introduces vulnerabilities since the help desk user may operate beyond the permission required to perform the operation and may assume the identity of anyone at any time, without limitations. A solution is required that limits this permission, by giving greater control to the end user, such that they may specify limits to access.

References and documents:

OAuth standard does allow for a scoped permission to be applied to a service (or user) in possession of the token. However, this token only provides scoped permission for access to an end service. An access token alone, however, does not consider both the permissions of the possessor as well as the permissions granted to the help desk user. It also does not provide a seemless integration into a session management capability.

Product solutions provide switching of user capabilities that allow a pre-determined privileged user to switch to another. The problem with this approach is that it can happen at any time, without permission, and grants full permission to the privileged user:

An alternative solution is required that considers session behaviour in situations where an existing session must be augmented with a granted permission to provide temporary access, and considers a method for returning the original session state back to normal access.

This articles outlines a mechanism for orchestrating session behaviour in cases where a web user must act on behalf of another end user for a period of time, compromising:

Delegation of user access to recipient for defined period of time

Augmenting of recipient's session with new scoped session of delegator, with scope provided that targets only a specific

application access

Switching of this new session as primary session for recipient, original session becomes secondary

Returning secondary session back to recipient's session upon expiry or termination of delegation

The advantages over known solutions are as follows:

Delegator has full control over their rights to delegate to a pre-determined role (e.g. help desk)

Ability to limit validity period

Session control is maintained by the end user

Seamless transition between session states for recipient

Minimizing impact on user productivity by eliminating out of band communication


Page 02 of 7

May be implemented without changes to application

An example of such a system is to augment a help desk session with a subset of of the access from an end user account . Figure 1 show the components involved in the system.

Figure 1: Diagram...