Situation:
We have employees that are requesting for a feature that allows them to give their privileg开发者_StackOverflow社区es to another person. This is useful if they need to be on leave, and need to give their permissions/privileges to another user. Thus this another user can take actions on his/her behalf.
Example:
John is going to be on scheduled leave for the next 2 days. Seeing this may hinder the approval of documents, he then decides to designate Mary as his "impersonator." In essence, when Mary logs in to Sharepoint, she has the permissions that John originally has. It's like impersonating another user for your whole log-in session.
Current research:
I've found sites mentioning about impersonating another user to execute a block of code. However it's only for a certain piece of code.
Question:
How can I accomplish a user to impersonate another user for the whole log-in session?
I think this is not advisable as, even if you manage to do it right, it'll mess with all the security features of your site: auditing and accountability. If Mary is allowed to impersonate John, it'll virtually impossible to tell who did what.
A better solution is adopt a policy of not having a single person be the approver of time sensitive documents. Instead use groups (even if the groups will initially have 1 person). This way when John goes on vacation, he (or an admin) can add Mary to the group and she can do his tasks without having to impersonate him.
If you do want to implement impersonation, you might have to use Forms authentication. Perhaps create a new zone that uses forms. So when John requests that Mary be allowed to impersonate him, you put that in some database table. When Mary logs on using the forms URL, you lookup the value of the person she's supposed to impersonate and associate her session with that person's account.
精彩评论