A Persona Framework for Attribution, Delegation and Least Privilege

There are many business needs for implementing delegation in IT systems. However, existing approaches to delegation in IT systems are limited in their usability, flexibility, and capability to implement least privilege. The result is that delegation is either not implemented or is implemented informally (e.g. by sharing credentials between users), resulting in serious security concerns and a lack of accountability and auditability. This paper describes a proposed framework for delegation based on the persona concept. A persona is a special category of user that embodies only delegated privileges, and which is explicitly assumed only after the "real" human user taking on that persona explicitly chooses it. This paper describes the persona delegation framework in the context of a large enclave-based architecture currently being implemented by the US Air Force. Benefits of the framework include increased flexibility to handle a number of different delegation business scenarios, decreased complexity of the solution, and greater accountability with only a modest amount of additional infrastructure required.