Blog

Identity April 20, 2021 3 min read Anup Marwadi

Enabling Sudo/God Mode In SaaS Platforms for elevated permissions

One of our fellow CTOs asked us a question recently,

“Say you’re using a 3rd party Identity Provider for User Account Management and there are operations that require a SUDO/God mode with elevated permissions assertions (maybe via SMS verification or some other form of assertion such as re-entering the password). How do you do it?”

This is a very good question. We have often seen the need to have elevated permissions to be validated in real-time before critical operations occur so that we know that the user who is trying to perform the operation actually still has the authority to do so, or even better, is actually the person requesting this operation.

Here’s ONE quick way of doing this. Let’s run over the scenario:

  1. The User has already authenticated themselves and has logged in the RP (relying party) application
  2. Now the user wants to perform an elevated operation. At this point, you would like to throw in a challenge – in this case, the challenge is simply re-verification of the password or some sort of an MFA verification.
  3. Once the challenge has been satisfied, you can allow them to continue on.

Irrespective of the IdP you use, the following needs to happen at the application level and not at the IdP level. You will need to create an API level policy that does the following:

  1. When any elevated permissions are requested, you will check when the bearer token was issued (date created was available within the bearer token)
  2. If it was issued a while ago (configurable) and exceeds the minimum configured threshold, your API will need to send a Challenge result back (a Challenge is simply a way to say that you don’t know or can’t trust the User’s identity anymore)
  3. When your UI receives this response, you will direct the User to the IdP Login page to re-login. Alternatively, depending on the policy, they can also request MFA.
  4. The User will be forced to login again, or verify their identity using MFA, and the IdP will redirect you to your normal redirect page where you process this token and based on a state variable, redirect the user to the page where you were performing the elevated operation at and it will in essence allow you to run this operation again.
  5. Now when you run this operation, the API policy will check and find a more recent bearer token which was recently issued and well below the limits for re-verification and it will let you continue with the operation.

To sum it up, this isn’t something your IdP cares about. Your IdP’s job involves authenticating you, providing you with valid set of claims, generating a bearer token (if you want) and granting access to protected resources by giving you the scopes you requested.

Frequently Asked Questions

Can I use PowerBI in a website?







Category:

PowerBI

PowerBI offers a robust Web application that you can view and interact with reports from. However, if you need to use PowerBI from a 3rd party platform, you can always use PowerBI embedding. The pricing structure varies for embedding, please check the PowerBI website for more information.

Can you connect with 3rd party APIs?







Category:

PowerBI

Yes, we connect with 3rd party APIs and pull data into your PowerBI platform on a regular basis. This requires additional custom coding or implementation of 3rd party tools like Zapier or Microsoft’s Power Automate

How do you charge for PowerBI services?







Category:

PowerBI

We offer PowerBI services as a part of our HyperTrends Sense product offering. We usually charge an initial flat-fee for setup and data ingestion/transformation followed by monthly data management fees. Our pricing is simple, predictable and gives you the biggest ROI for your investment.

Anup Marwadi

Anup Marwadi is a technology entrepreneur, an investor and an avid-learner of business skills. He is the CEO of HyperTrends Global Inc. and TicketBlox and is currently involved in numerous advisory positions with Healthcare and Manufacturing companies. Anup is on a mission to build technology products that disrupt industries and help businesses grow by using technology and software as their primary differentiator. Anup is an avid traveler, a speaker and loves fitness and adventure. Anup is a board-member at Entepreneur's Organization (EO) - San Diego.

HyperTrends Global Inc.TM © 2024. All Rights Reserved.

HyperTrends Global Inc.TM is a Digital Innovation Agency with a mission to serve fast-growing businesses and help build their technology strategies