[This is a preliminary description of the idea based on notes I made on 1999-06-24. If anyone knows of other work along these lines, or wants to participate in the development of this, let me know.]
See also the Gregor's Word of the Week entry Doppelgänger.
The doppel facility would permit agents (machine or human) to perform specified actions on the part of the originator, hopefully with acceptable security characteristics. The doppel security capability specifications would be certificate-based, so it would be heavily tied-in with the operating system and password authentication.
Some information in the doppel certificate would be: the originator, capability specifications, time and/or occurance limitations, revokation policy, activity logging policy, etc.
Some capability specifications might be: change root directory (to hide other parts of the file system), create and use a secondary doppel (for database logon), run a particular program, or create a particular file.
The operating system would accept doppling via su and login (and perhaps other) mechanisms, with appropriate credential verification. This would probably involve the creation of a doppel user and modifications to these programs such that there is an extra step in the doppel user's logon procedure. Instead of immediately asking for a password, the system would request the doppel specification first. With this in hand, the system requests the password, which is the one that can be used to validate the the doppel is being presented by an authorized entity. If everything checks out, then the doppel is authenticated and permitted appropriately restricted access to the system, based on the capabilities specification in the doppel.
This facility could be used for scheduling activities to run in batch. The production user creates a doppel linked to the credentials of the server program and hands it to the server. Later, the server uses the doppel to perform actions. Only if the actions requested by the server and the servers credentials match the doppel, and the doppel is otherwise valid, will the action be authorized.