Versions Compared

Old Version 8

changes.mady.by.user Nadine Burroughs

Saved on

compared with

New Version Current

changes.mady.by.user Seth Petry-Johnson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

First introduced in 11.0.24, this feature aims to replace the legacy Impersonation feature which has been renamed “Log In As”.

Note

In 11.0.24 this feature is available for BETA TESTING ONLY. It is NOT suitable for production yet. See the limitations list for details.

HS staff can see an internal feature demo here.

Table of Contents

Overview

...

Info

The key part of the Impersonation feature is that actions taken while impersonating another user are recorded as being “performed by” the user that is actually logged in, not the account they are impersonating.

This is the primary difference relative to the legacy Impersonation feature, which did not properly capture the identity performing the action in the logs.

Feature overview

...

Enabling the feature toggle

As a beta feature, Impersonation can be enabled/disabled at the system level via the EnableImpersonation App Config setting.

This currently defaults to DISABLED.

Required permissions

In addition to the feature toggle being enabled, users must have the AdminArea.CanImpersonateUser permission. This is currently not granted by default to any Roles.

Impersonating another user

...

Limitations and business rules

Limitation

Reason

Cannot impersonate a Sys Admin user

For security reasons, you cannot impersonate a user with the Sys Admin Role.

Cannot impersonate a user with a greater privilege level than your own

For security reasons, you cannot impersonate a user with a greater privilege level than your own.

Cannot access the Admin area while impersonating

Access to the Admin area is restricted until we can explore the security implications of allowing it.

Configuration changes are not fully audit logged right now, so we want to restrict the potential for changes that are even harder to track back to the person making them.

Cannot impersonate a user in an “Inactive” or “Pending Registration” status

The general purpose of the Impersonate feature is to “see what the other user would see”. A user account with an Inactive Member Status would be unable to log in, and is similarly blocked from being impersonated.