Hacker News new | past | comments | ask | show | jobs | submit login

It is very common to allow a support user to impersonate a user. A lot of the enterprise level authentication/authorization software packages support it.

As long as the action is logged it doesn't seem worse than anything else.

Yep. In fact, many users expect you to go into their account to see what they are seeing or what they are doing wrong, at least our customers do. It's the same data you can access in the database.

I suspect the point being made was that Joe First Line Support Guy shouldn't generally have arbitrary access to your database either. If you're handling sensitive information, including almost any personal data, then generally the number of people with root/admin/open access to the relevant systems should be minimal and tightly controlled, and everyone else should have controlled-by-need access through their own front-end.

Organisations (usually relatively small ones) where everyone can be root or access any user's file in the database so they can Get Things Done sound great, right up until the point where it turns out you hired the wrong person, they did something naughty with your database, and your whole organisation and/or its executives personally are sent to live in legal/regulatory hell for months/years/ever.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact