Endpoint Administration Guide for Windows › Protecting Accounts › User Impersonation Protection › How CA Access Control Responds to User Impersonation Requests

How CA Access Control Responds to User Impersonation Requests

Each record in the SURROGATE class defines restrictions that protect a user from impersonation attempts. CA Access Control treats an impersonation request as an abstract object that can only be accessed by authorized users. A record in the SURROGATE class represents each user or group who has surrogate (impersonation) protection.

When a user or group makes a request to impersonate another user or group, CA Access Control does the following:

1. Checks the access authority of the SURROGATE record for the user or group. Depending on the SURROGATE record, one of the following happens:
   • The SURROGATE record for the user or group specifically permits or denies the impersonation.

     CA Access Control uses the access authority of the SURROGATE record to permit or deny the impersonation request.

   • The user or group does not have a SURROGATE record.

     The process goes to Step 2.

2. Checks the access authority of the default SURROGATE record for the user or group, as follows:
   • If the requester is a user, CA Access Control gives the user the access type that is defined in the USER._default SURROGATE record.
   • If the requester is a group, CA Access Control gives the user the access type that is defined in the GROUP._default SURROGATE record.

   Note: The default access authority of the USER._default, GROUP._default, and _default SURROGATE records is read. This means that CA Access Control permits any request to impersonate a user or group, unless a SURROGATE record for the user or group prohibits the impersonation request. To change this behavior, change the access authority of the USER._default and GROUP._default records. You can also set the same default for users and groups by changing the access authority of the _default SURROGATE record.