Applicable to Entuity v20.0 P04 upwards
Which users can be impersonated?
Audit log and AuthLog entries for impersonation mode
Introduction:
Impersonation Mode in Entuity enables administrators to impersonate any user (without requiring login credentials) to assist with testing configurations and evaluating and diagnosing user-specific issues. When you enable Impersonation Mode and select a user to impersonate, you can confirm what the impersonated user can see.
Impersonation Mode is accessible to administrators only. Non-admin users will only see a change to their UI if an administrator makes a change whilst impersonating them, and if an administrator in Impersonation Mode makes a change on a consolidation server that propagates to remote servers (e.g. creating a new View on a consolidation server will cause that View to be created on all servers to which the user is logged in), this will persist for the impersonated user.
Which users can be impersonated?
Administrators can impersonate the following users:
- other administrators
- non-admin users
Administrators cannot impersonate the following:
- themselves
- another user whilst already impersonating another administrator, i.e. you (Admin A) cannot impersonate another administrator (Admin B) and then use Admin B to impersonate another user (User C). Therefore, nested impersonations are not possible.
Requirements:
If you are using external authentication on your server (LDAP, RSSO or SAMLv2), the user that you intend to impersonate will need to have logged in at least once for your impersonation to work. If the user has not logged in before, then the impersonation will not work.
Permissions:
This is part of the general administrator permissions, and so there is no specific permission associated with Impersonation Mode.
To access Impersonation Mode:
- Click the Main Menu and then Impersonate.
- The Impersonation Mode form will open on the right.
- To specify the user that you want to impersonate, click the Impersonate User field to open a list, from which you can select the user.
- To specify the Entuity UI page from where you will start the impersonation, select one of the two options from the Navigate To dropdown field:
- User's Homepage - impersonation will begin from the user's specified homepage.
- Current Page - impersonation will begin from the page that the administrator is currently on.
- Click Done in the top right to begin the impersonation, otherwise click Cancel.
During Impersonation Mode:
The Entuity branding bar at the top of the screen is changed from dark blue to brown, and displays '[username of User X] impersonated by [username of Admin Y]'.
The Main Menu is also updated to reflect the current user session:
Changes made by an administrator during Impersonation Mode:
Any change made during Impersonation Mode, by either the administrator who is impersonating or the user who is being impersonated, will persist for the other upon refreshing the page. If an administrator in Impersonation Mode makes a change on a consolidation server that propagates to remote servers (e.g. creating a new View on a consolidation server will cause that View to be created on all servers to which the user is logged in), this will persist for the impersonated user.
Changes made by an administrator to the user's preferences:
Any changes made and saved by an administrator to the user's preferences will appear when that user next logs in. This is only applicable when on a consolidation server.
To exit Impersonation Mode:
- Click the Main Menu, and where would normally be the 'Sign Out' option, click End Impersonation.
- You will be directed to your previous session prior to impersonation.
Audit log and AuthLog entries for impersonation mode:
Audit log entries are created in the following instances:
- when an impersonation begins and ends.
- (from Entuity v21.0 onwards) when an action is performed in impersonation mode by an admin impersonating a user.
The example below shows the type of information provided in the Audit Log when an admin impersonates a user. This example includes the following:
- Admin Y began impersonating User X.
- User X (impersonated by Admin Y) resumed the running of a report (Report X).
- User X (impersonated by Admin Y) deleted User W.
- Admin Y stopped impersonating User X.
Note that the 'Impersonated by' column specifies when a user action (in this case, User X) was actually undertaken by the impersonating admin (Admin Y).
ID | Time | Category | Action | Context | Details | User | Impersonated by | Server | Source |
---|---|---|---|---|---|---|---|---|---|
4 | 11:46, 05 Aug 2022 | Account Management | MODIFY | User X (User) | Admin Y stopped impersonating User X | Admin Y | EntuityRed | Web | |
3 | 11:43, 05 Aug 2022 | Account Management | DELETE | User W (User) | User: User W | User X | Admin Y | EntuityRed | Web |
2 | 11:41, 05 Aug 2022 | Reporting | RESUME | X::My Network/X (view) | Name: X; View A::My Network; Runs:... | User X | Admin Y | Entuity Red | Web |
1 | 11:36, 05 Aug 2022 | Account Management | MODIFY | User X | Admin Y started impersonating User X | Admin Y | EntuityRed | Web |
AuthLog entries will be created for Impersonation Mode in the following circumstances:
- when Impersonation Mode is successfully started, e.g.:
09/26/2022 14:39:03: Accepting login: application=impersonation-start host=127.0.0.1 user=user reason=user impersonated by admin
- when Impersonation Mode is successfully ended, e.g.:
09/26/2022 14:39:06: Accepting login: application=impersonation-end host=127.0.0.1 user=admin reason=admin stopped impersonating user
- if an unauthorized user attempts to start an impersonation via the URL, e.g.:
09/26/2022 15:35:54: Rejecting login: application=impersonation-start host=127.0.0.1 user=user reason=user attempted impersonation without sufficient permissions
- if an administrator attempts to end an impersonation, but their previou session is now invalid, e.g.:
09/28/2022 17:09:01: Rejecting login: application=impersonation-end host=127.0.0.1 user=admin reason=could not authorize previous Administrator session as the session no longer exists
Comments
0 comments
Please sign in to leave a comment.