Previous Topic: Kernel Mode InterceptionNext Topic: Enable User Impersonation Protection


How CA ControlMinder Responds to User Impersonation Requests

Each record in the SURROGATE class defines restrictions that protect a user from impersonation attempts. CA ControlMinder treats an impersonation request as an abstract object that can only be accessed by authorized users. A record in the SURROGATE class represents each user or group who has surrogate (impersonation) protection.

When a user or group makes a request to impersonate another user or group, CA ControlMinder does the following:

  1. Checks the access authority of the SURROGATE record for the user or group. Depending on the SURROGATE record, one of the following happens:
  2. Checks the access authority of the default SURROGATE record for the user or group, as follows:

    Note: The default access authority of the USER._default, GROUP._default, and _default SURROGATE records is read. This means that CA ControlMinder permits any request to impersonate a user or group, unless a SURROGATE record for the user or group prohibits the impersonation request. To change this behavior, change the access authority of the USER._default and GROUP._default records. You can also set the same default for users and groups by changing the access authority of the _default SURROGATE record.