User Impersonation
User impersonation is a very powerful tool that allows you to get an exact look at what a particular user sees when they use into your product. This can be helpful for anything from debugging issues to giving a realistic sales demo.
Turning on User Impersonation
User Impersonation configuration can be found under Project Settings in the dashboard. Note that you must have the Owner role for your Organization in PropelAuth in order to access it, and you must be on a paid plan to enable it.
Once you've turned on User Impersonation, you'll be given the option to choose who has the power to impersonate users. Due to it's potential sensitive nature, we recommend giving the minimum amount of access necessary.
Alerting
If you would like to be proactively notified when one of your employees impersonates a user, you can turn on alerting. Alerting can be done via email or Slack and can be configured per environment.
Impersonating users
Initiating a user impersonation session can be done from the Users table in the Dashboard. Locate the user in the table and click the 3 dots at the end. If you have access to impersonate a user, the option will appear in the menu.
Identifying Impersonated Users
When you (or someone on your team) is impersonating a user, they will be able to perform actions as that user, within your product. You may, for example, want to:
- Limit the actions that can be performed while impersonating a user
- Audit the actions that were performed while impersonating a user
- Limit the data that can be viewed while impersonating a user
- Add a banner to your product, indicating that the user is being impersonated
- To help you distinguish between a user and an impersonated user, there’s an impersonatorUserId field on the user object, in both the frontend and the backend. This field will be set to the ID of the person on your team who is impersonating the user, if any.
In the backend, you could use this field to limit the actions that can be performed while impersonating a user:
// Express example
app.post("/api/sensitive-action", auth.requireUser, (req, res) => {
if (req.user.impersonatorUserId) {
res.status(403).send("You cannot perform this action while impersonating a user")
} else {
// Perform the sensitive action
}
})
See the Reference documentation for more information about the library for your language/framework.