An individual is granted access to a service through some formal mechanism, however the indivudual would like to delegate that access to one or more individuals who cannot be identified through any authoritative means.  For example, a faculty member wishes to delegate a variety of tasks for their course to individuals whose role or membership in the course is not captured as part of the ERP or directory service. Only the faculty member knows the users and their specific roles, so the assignments cannot be managed centrally.

Delegation of the access may be specific and temporary (ie, allow someone to approve purchaes while I am on vacation) or may be permanent (I would like my administrative assistant to be able to act as my proxy.)  The nature of the access is such that I cannot delegate more authority than I have myself, and I will still be held accountable for the actions taken on my behalf.


Proxy and delegation solutions are often application-specific.  For example, in the faculty example above, the same application that is used to gather final grades could provide a user-interface for the faculty member to manage the delegation of grading.  Wherever possible, capturing delegation or proxy assigments in a central IdM system allows multiple applications to provision based on a single delegation.


Graphics (click on them to view full size)