I know that just about every use case we discussed at a recent Ipswich (who says UK spring weather sucks?) meeting of the Liberty Alliance Technology Expert Group could be modeled as some form of delegation.
- a client delegating the right to a network provider to serve up identity attributes on a user's behalf if and when the client was unavailable
- an IDP delegating the right to a client to mint assertions on its behalf if and when the IDP was unavailable
- a Mom delegating the right to members of her extended family to view online photos
- a business owner delegating the right to an accounting firm's accountants to view/submit to the business's account at a government tax agency
As we roughed it out this week, a solution might work something like the following
- BusinessOwner adds a group for his accounting firm CheckYourBooks to the company's People Service
- The new group, instead of directly defining a collection of specific individuals, instead points at a different group managed by a CheckYourBooks admin in that company's People Service
- BusinessOwner visits GovernmentTax and sets delegation policy by saying 'Allow members of CheckYourBooks to access my tax account'.
Importantly, if and when BusinessOwner discovers that the CheckYourBooks CEO has been skimming off the top and has moved with his mistress to the British Virgin Islands, it's easy to shut off access and switch it to the new accounting firm (until such time they feel the call of the sun).