AnsweredAssumed Answered

Impersonation Access Problem

Question asked by Jim-Lundell-3M on May 14, 2016
Latest reply on Aug 25, 2016 by Ujwol Shrestha

I’m having problems limiting what an impersonated session has access to in one of our environments. The problem, at a simplified level, is illustrated below.  We have one top-level realm (/root) that is protected.  Under this realm are numerous URLs – but how they are to be protected is not easily specified so multiple complex rules are required under a single realm.

 

Example URL:  http://www.myapp.com/root*

 

For this example, there is one top level realm named “/root”.   Under this realm are three rules.

              

               ‘/*’    - Get rule for /root/*

               ‘/google*’  - Get rule for /root/google/

               ‘ /bing*’   - Get rule for /root/bing/

 

There is a simple static redirect for /root/google/ to redirect to Google and for /root/bing/ to redirect to Bing.  

 

For this test, I want to allow an Impersonated session access to only Google.  I created two new rules as shown below. These rules were applied to the appropriate policies.

               ‘/google*’  - ImpersonateStart

               ‘/google*’ -  ImpersonateStartUser

 

For my testing, an impersonator is redirected to Google; this works as expected.

 

PROBLEM:  This same impersonated session is also able to access content for Bing and /root/* which should not be allowed. It seems that allowing impersonation on a more fine-grained rule is also allowing an impersonator access for the other rules  This should not be allowed.

.

QUESTION:  What am I doing wrong here? 

Outcomes