0

Some time ago, Facebook introduced a feature that helps set up the permissions on ones profile: view as someone else. It allows the author of a dynamic page to see which user groups (or specific users) can see which information in the page, and thereby debug the permissions. A similar feature exists in LinkedIn

The modern applications, especially B2B, may have much more complex permission settings. Therefore such tool is much more useful. However as far as I know, this function is not very wide spread. I wonder what the disadvantages may be, or if there is any RFC and best practice article I can read before considering it for my own project.

texnic
  • 3,959
  • 4
  • 42
  • 75

1 Answers1

0

Sure, this is called "RunAs", "impersonation", "sudo"...

It is built-in to Spring Security: http://docs.spring.io/spring-security/site/docs/4.0.4.RELEASE/reference/htmlsingle/#runasmanager

It's also built in to most database servers:

https://msdn.microsoft.com/en-us/library/ms181362.aspx

Adding any complexity to a secure application makes it a little more likely to be vulnerable.

Neil McGuigan
  • 46,580
  • 12
  • 123
  • 152