Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Comments on How to properly deal with impersonation in a Web application? (security vs. usefulness for tech support)

Parent

How to properly deal with impersonation in a Web application? (security vs. usefulness for tech support)

+7
−0

Context

Our team has begun migrating a pretty old internal application and one aspect that got my attention is the impersonation. This is implemented as follows:

  • only administrators are allowed to impersonate someone else
  • impersonation means setting the current session user to the impersonated user
  • the result is that ALL operations are done as if the impersonated user is acting (entities created with that id, logs indicate that user etc.)

This is very convenient for technical support because they can easily "see" through any user reporting an issue.

The security model is quite complex: many roles and rights, fined grained security based on multiple dimensions (country, business units, categories etc.)

However, my reaction was that is uncompliant and will fail any decent audit, because administrators can do actions with other users and nobody will know. The PO agreed that this is not OK and that the migrated version should tackle it.

The issue

Now I am looking for a solution about implementing the impersonation and get a good compromise between security and usefulness for the technical support.

The big picture that I have in mind right now is the following:

  • all actions (queries, commands and their results) will be logged to minimize the need for impersonation. Logging in the legacy application is very poor.

  • all records generated by an impersonator will get their user identifier. This ensures that impersonator cannot abuse their role, but might prevent some flows from being checked (e.g. security rules that rely on the actual user identifier like "I am not able to see non-shared documents created by another identity")

  • all rights checks (e.g. can edit a document) will be executed against the impersonated user. This ensures that the impersonator see the restrictions applied to the impersonated identity and all rules that do not rely on the actual user identifier

  • having multiple test users is hard because everything relies on Azure A/D authentication tied up to the domain account

  • alternative: allow the old fashioned impersonation to work on test environments, but I find this particularly risky and I generally dislike having any functional differences between prod and non-prod, except for the work in progress developments

How should I balance the security and usefulness for technical support-related activities?

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

0 comment threads

Post
+9
−0

If you've poked around the mod tools here a bit, you may have noticed that QPixel has an impersonation feature, live on prod. It's there for much the same reasons: so that developers can test and identify issues that only appear for one user with a specific set of circumstances that would be difficult to reproduce.

If you've decided that impersonation in production is a required feature, you really only have two ways of doing it:

  • As you described, by executing permissions checks against the impersonated user but creating records as the impersonator. This requires you to change more code paths to be aware that impersonation is a possibility.
  • As we do it: with logging. Any time an impersonation is triggered, a log is automatically made to the admin audit log, which any admin can see. You can log as much detail as you need, right up to logging full details of every single HTTP request made while impersonating, if you need to. We don't go that far, but as long as you have impersonate-start and -end logs at minimum, then any actions the impersonated user takes between those points may have been impersonated.

You also, of course, have to define security policy for who's allowed to access the feature. In our setup, only developers have access to it - and a developer account is defined by a flag that's only settable via raw database or console access: there's no way to do it in the UI. While only a developer can impersonate someone, any administrator can see the logs of it, which is how it should be: restrict the feature, but let a wider team be able to see when it's being used.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.

1 comment thread

General comments (2 comments)
General comments
Alexei‭ wrote over 3 years ago

"As we do it: with logging" - this indeed seems to be the best approach. Just had a conversation with my boss and confirmed that such a solution was used for an important product that was externally audited. The audit said it is fine to allow users to fully impersonate someone else as long everything is fully logged and some edge cases are tackled (e.g. an employee impersonating their boss and approving stuff for themselves). Thank you for the extended answer.

Peter Taylor‭ wrote over 3 years ago

If sessions include a random ID (probably not the session ID per se, because that creates potential security problems of its own) and that ID is always included as a log parameter, it allows distinguishing between the impersonated session and the real user in a separate session.