1. Field of the Invention
The present invention relates to computer systems, and more specifically to a system, method, and program product for authenticating as one user but providing access as a different user or class of users.
2. Description of Related Art
In today's computing environment, significant measures are taken to prevent unauthorized access to computer systems and networks while providing authorized users or classes of users with enhanced computing experiences. In the context of computer security, “authentication” is the process of establishing the identity of a client or user. The authentication is usually based on the user's credentials, which may describe the user's identity, group memberships, administrative roles, special privileges, and so on. “Authorization” is the process of transforming a confirmed identity of a client or user into the set of actions that the client can and cannot perform on the computer system being accessed.
A user account is often associated with classes of users. This association exists for at least two reasons. The first reason is authorization; privileges for the entire class (i.e., group) of users can be maintained with greater ease than by managing at a per-user level. The second reason is for preferences related to the user experience; in this case the experience presented to the user can be altered based on the user's class association.
It is often useful for a user to be able to temporarily step (or “morph”) into the role of another user or class of users. This is particularly useful during the testing and development of web applications. Additionally, such identity switching is useful in support roles by enabling a support staff member without access to a user's password to view what the user, or anyone in the user's class, views.
Most conventional computer systems do not provide the ability for a user to assume the role of another user or a class of other users. While some non-web based computer systems provide limited capability for a user to switch to another user identity (e.g., the “su” command in Unix/Linux computer systems and the CVIEW command in VM computer systems), these conventional commands only allow the root or administrator to switch identity without providing the other user's password. Furthermore, conventional computer systems that provide the ability for a user to access the system as a different user or class of users require at least two steps of entering user IDs and passwords (and possibly other information) before performing authentication and identity switching. Moreover, these conventional computer systems do not maintain an audit trail of which physical user actually performed an activity regardless of that user's actual system identity at the time the activity is performed.
Accordingly, there is a need for a system and method of authenticating as one user but authorizing access as a different user or class of users in a single step, while maintaining appropriate audit trails of a user's activity regardless of that user's system identity at the time the activity is performed.