Impersonation Delegation

From Guidance Share
Jump to navigationJump to search


Your application needs to access a downstream resource, typically a database, and you need to decide where to authorize the original caller who initiates the operation and what account to use to access the downstream resource.


  • Where to perform authorization and what account(s) to use access the downstream resource.


  • You want to use OS auditing to track an individual's operations in the database.
  • You want granular, per-user authorization in the database.
  • You don't want to trust the front-end application to perform user authorization.
  • Your application will scale enough to satisfy your requirements even without connection pooling.


  • Use an authentication mechanism that allows you to obtain delegatable credentials.
  • Impersonate the original caller's identity and make downstream calls using that identity.
  • Configure per-user ACLs at the back-end (e.g. within the database)