Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
What is impersonnation
Hello I'm Bob, connect me as Alice.
Use cases:
- 1. Migration: migration user impersonnate existing user to migrate in/out emails of the user
- 2. Assistance: An admin impersonate a user to assist them with one problem...
- 3. Delegation: The secretary impersonnate her boss mails.
What exists today in James
Impersonation exists for IMAP AUTHENTICATE PLAIN.
Impersonation relies on the 'Authorizator' interface.
A simple implementation of it is provided: We then verify this the user performing the impersonation is an admin account defined in the configuration.
This makes it suitable for simple use cases defined in 1 and 2 (where multi-tenancy is not an issue)
However, this is unsuitable for more advanced use cases.
Proposal
Provide a configuration option to enable fine-grained authorization.
If enabled, a storage API for delegation will be enabled (stores user X have the right to impersonate to user Y). We can then have a webadmin API to manage this, as well as the wiring needed in the AUthorizator.
