Ayende @ Rahien

It's a girl

Security Models: On Behalf Of

In a security system, On Behalf Of is a vastly underutilized concept. I created that for the first time in 2007, in a project that spurred the creation of Rhino Security. On Behalf Of allows another user to assume the mantle of another user. From the authorization system, once you activate On Behalf Of, you are that other user. That means that you have all the access rights (and limitations) of that user.

Why is this useful?

  • On Behalf Of gives a help desk operator a very quick way to reproduce a bug that a user run into. Usually those bugs are things like “why can’t I see product Foo”, or “I run into a bug in Order #823838”. Those bugs can only be reproduced when the help desk operator is running within the security context of the user.
  • On Behalf Of represent how the real world work. Imagine a Team Leader that takes a vacation. For the duration of the vacation, there is someone else that assumes that Team Leader role on a temporary basis. On Behalf Of allows that someone to do the required work, in the the context of the Team Leader, which allows her to perform operations that she would otherwise may not be able to do.

Auditing

On Behalf Of has important implications on auditing. In most systems where auditing plays a role, the user who perform the action is just as important as the action that was taken. On Behalf Of integrates with the auditing system, to indicate not only who actually did the operation (the end user), but also what user that operation was On Behalf Of. This is important, because it avoid “impossible” audit entries later on, where either “I was in vacation that time, I couldn’t have done it” or “I never had permissions to do this, there is a bug in the system” might crop up.

It is important to note that most systems where On Behalf Of is used have a sophisticated security rules. At that point, system administrators are more akin to Windows’ Administrators than Unix’s Root. In Unix, if you are root, you can do whatever you like. In Windows, if you are Administrator, you can do almost everything that you like. A typical example is that as an administrator on Windows, you can’t read another’s user files without leaving a mark that you can’t remove (changing ownership), but there are others.

You can think about On Behalf Of as an extension to this, we want to act as another user, but we have to know that we did. That is why you want to be able to pull the operations made by users acting On Behalf Of other users from the Auditing System easily. In fact, when running On Behalf Of, your audit level is much increased, because we need to track what sort of operations you made, even operations that are normally below the audit level of the system (viewing an entity you otherwise had no way of accessing, for example).

Authorization

From authorization perspective, the actual mechanics are pretty simple, instead of passing the actual user to the security system, you pass the user that we execute operations On Behalf Of.

However, the security system does need to be aware of On Behalf Of, because there are some operations that you cannot perform On Behalf Of someone else. For example, while I may be authorized to act On Behalf on another Team Leader, it is not possible for me to fire a team member while operating On Behalf Of Team Leader. Firing someone is a decision that can be made only by that person direct manager, not by someone acting On Behalf Of. This is a business decision, mind you, to define the set of operations that may be performed On Behalf Of (usually most of them) and the few critical ones that you mustn’t.

Authentication

As you can imagine, there is a great deal to abuse with this feature, so for the most part, it is strictly limited. Usually it is active for system administrators only, but very often, there are both temporary and permanent set of conditions where On Behalf Of is enabled.

For example, an exec is always able to act On Behalf OF his captain. And we already discussed covering another Team Leader when they are sick / vacationing / etc.

Summary

On Behalf Of is a powerful feature, but it requires understanding from the users, it has the potential to be looked at as a security hole, even though it is just a reflection of how we work in real life. And the implications if the users expect some level of privacy in the system are huge. A large part of implementing On Behalf OF correctly isn’t in the technical details, it is in the way you build /document / sale it to the users.

Comments

Robert M.
09/05/2010 09:45 AM by
Robert M.

I would really like to see a practical post about impersonation and audit logging for users acting on behalf of others.

Does Rhino Security embed this kind of functionality?

scooletz
09/06/2010 07:21 AM by
scooletz

The 'On behalf of' feature was one of the core components I introduced in my authorization project. The difference between 'on behalf of' and the standard user was captured in 'active user' and 'logged in user'. The majority of authorizations were set on the basis of 'active user'. There was also of subset crucial allowances which based on the 'logged in user', hence, logging as another user did not allow you using these rights.

Ayende Rahien
09/06/2010 07:25 AM by
Ayende Rahien

Robert,

No, RS is for making security decision. You app need to provide the user instance, and you can certainly provide a different user than the logged on one.

Travis Illig
09/07/2010 02:35 PM by
Travis Illig

WS-Trust has ActAs and OnBehalfOf built in. Granted, it's not the slimmest protocol, but it is "standardized" and a lot of security professionals understand it. Even if you don't use it directly, you could explain your own system in terms of that and the "sale" of the feature might be easier.

Farooq
09/15/2010 10:19 AM by
Farooq

I am looking on how can the Rhino Security or another way of data security, can best handle the following scenario.

I have a table "Employees" and along with other columns, there is a string column "Referred By" and requirements is to keep this column's data as encrypted or encoded so even Postgresql DBA can't see the column's data. From UI perspective, the requirement is the as user will type characters in the 'Referred By' text box, a like search with entered characters will be performed just like Firefox's quick search functionality, e.g. if 'Andr' is entered then all records with Andr% needs to be fetched and shown. Just to remind, this column's data needs to be either encrypted or encoded or some way of DB plus NHibernate security to prevent the contents of this column to be seen from Postgresql DBA.

How can this situation be managed?

Ayende Rahien
09/15/2010 10:48 AM by
Ayende Rahien

Farooq,

You can't, really.

There are solutions that you can use, but there has to be something that can see all the data.

And say goodbye for indexing as well.

What you probably want to do is to push it to an external lossy index (say, Lucene with Store=No). This can give you what you want there.

Farooq
09/15/2010 01:45 PM by
Farooq

Dear Ayende,

Loosing indexing is alright in this case to fulfill the requirment. Can you please elaborate the solution involving Lucene?

Regards,

Ayende Rahien
09/15/2010 01:48 PM by
Ayende Rahien

Take a look at how Lucene works, by default, it will loss the actual value and hold only the search vector

Comments have been closed on this topic.