Two features that are easy to ship and hard to secure:
- Delegation: user A grants user B the right to do something.
- Impersonation: support/admin can act as a user.
Both are authorization problems with large blast radius if done wrong.
Delegation: safe patterns
- Make delegation explicit (who delegated, what, to whom, for how long).
- Prefer scoped delegation (only for a project, only for a role).
- Add expiry and review.
Examples
- “Alice delegates invoice approval for project X to Bob until Friday.”
- “Service account delegates read-only access to reporting job.”
Impersonation: avoid backdoors
Impersonation should:
- require step-up authentication
- be tightly permissioned (separate from normal admin)
- be fully logged (who, when, why, what actions)
- be visible to the user or at least auditable
Pitfalls
- Creating “support can do anything” roles with no controls.
- Not separating view-as from act-as.
- Allowing impersonation for high-risk actions (payments, credential changes) without extra safeguards.
Where to go next
- /category/identity-security
- /topic/identity-security/privileged-access-management-pam
- IDPro Book of Knowledge (reference): https://bok.idpro.org/
