Educause Security Discussion mailing list archives

Re: Impersonation/Shadowing and Data Security

From: Tim Doty <tdoty () MST EDU>
Date: Mon, 13 Feb 2012 14:19:22 -0600

On Mon, 2012-02-13 at 13:06 -0500, Norman, David wrote:

All,

 

We have a request to provide a student impersonation/shadowing
capability for university staff in several offices as a means of
“seeing what they see” when a student or applicant calls with a
question about our student portal.  This capability would allow staff
to log in as the student and troubleshoot, with access to all personal
student data on the system.  I was curious if other schools have
implemented anything like this in their student portals, and what
additional data security/auditing measures might have been taken.


Impersonation is, IMO, a risky game. For blackboard we provide 'student'
accounts to faculty who need them to fulfill the need to see things as a
limited user. It isn't impersonating any student, it is (essentially) an
unprivileged account. For troubleshooting necessary grants to mimic that
of the person experiencing a problem can be granted and then looked at.

The only place I'm aware of that we have true impersonation is with some
homegrown web applications and for that we have a homegrown library of
functions to support it. So in that case the impersonation is limited to
applications that have been specifically written to support it and the
access boundary is the application. As for logging, I believe the API
usage calls are logged and captured to our central logging. Hasn't come
up so I'm not 100% sure.

It is IMO important to remember that being able to impersonate a user
on, say, a web portal is *not* the same as the individual in question
accessing it and there are probably more useful troubleshooting
procedures that do not require impersonation. For example, is the person
doing the impersonating using the web app from the same computer and
account as the person they are impersonating? Are they using the same
web browser?

In my experience it is exactly those variables that are most important
when troubleshooting web-based problems and none of those are addressed
via impersonation.

Tim Doty


 

Thanks

 

David 

 

David Norman Director of Administrative Computing, Bentley University

Current thread:

Impersonation/Shadowing and Data Security Norman, David (Feb 13)
- Re: Impersonation/Shadowing and Data Security Tim Doty (Feb 13)
- Re: Impersonation/Shadowing and Data Security Louis APONTE (Feb 13)