Power of Attorney
Planned featureThis feature is planned feature. This feature is roughly designed and it was evaluated as feasible. However, there is currently no specific plan when it will be implemented, because there is no funding for this development yet. In case that you are interested in supporting development of this feature, please consider purchasing midPoint Platform subscription.
Power of attorney is a form of authorization that grants user power over the functionality accessible to other users. For example a manager may be able to access midPoint functionality that is accessible to his subordinates. The manager should be able to switch midPoint user interface to work with the identity of the subordinate employee. The manager will then see what the other employee can see in midPoint. The manager may even execute the actions as if the original employee executed them. Of course, both identities (the subject and the attorney) will be executed in the audit logs. And of course, such power should be limited to only certain actions (read-only, read-write), certain object and so on.
This may be a really useful feature to enable limited power of attorney, e.g. to enable manager act on a workitem of a different user. But it may also be used for diagnostics: for example the identity administrator may look at the midPoint as it is displayed for a particular user, for example to check that the delegated administration privileges are set correctly.
However, the real power and flexibility of this features comes with an additional enhancement. There is in fact nothing in midPoint that says that the subject must be a user. The subject of power of attorney may as well be an organization. This may be used to give individuals the power to act in name of organizations. For example a mayor of a town may be able to act with the identity of the town, instead of his own personal identity. This may be give selected users the powers to act on behalf of the company. This may get really useful especially in multi-tenant or hybrid configurations. Or a manager or technical lead making decision as an individual as opposed to decisions on behalf of the entire team.
Power of Attorney versus Deputy
MidPoint already has a deputy functionality. However, deputy is meant to be a temporary delegation of rights. For example a manager going for a vacation will entitle a deputy for the next two weeks. For that period the deputy will receive manager’s powers as part of his usual midPoint user interface. In fact for a deputy there is no difference between using his own powers and the powers delegated to him as a deputy. It is assumed that this is always the individual user making a decision, albeit it is done using delegated powers. And there is a good reason for that. There may be significant overlap between powers that the deputy already has and the powers that were delegated. Therefore it is not always clear whether the exercised power is the pre-existent one or the delegated one. Also, we want the user interface be as efficient as possible. The deputy is exercising the delegated powers as part of his day-to-day job. E.g. the delegated work items should appear where his existing work items are, so he will not miss them.
However, the power of attorney is different. The attorney has to explicitly decide to act on behalf of other identity. The attorney has to switch to the identity of subordinate employee or an organization. This explicit action is an additional barrier so it is clear which identity is used. This is important for many use cases. For example there is a big difference if a mayor is making a purchase order as a private individual or if that purchase order is made on behalf of the town. The difference in the identity that is acted upon is critical. Therefore is it import to make the identity switch explicit so it is always clear which identity is acted upon. Also, the assumption is that the power of attorney is semi-permanent. That means that power of attorney is granted for a long time period (usually years).
Implementation of power of attorney has several parts:
Authorizations that specify power of attorney, to which users the power applies and how it is limited.
User interface support for identity switching
Auditing, logging and diagnostics enhancements to clearly distinguish the identities.
There is very limited implementation of the power of attorney authorization that can be used only for workitem-related actions. See Power of Attorney Configuration.