Requires Identity Panel v7.1 or higher.
In version 7 of the Identity Panel suite, users in the built-in Admin role can impersonate any defined role except Writer. This feature is useful in defining and testing a granular access model for the different platform user groups/roles.
This new option can be found in the security settings.
How to impersonate a role
- Go to Security
- Expand a Role that you want to Impersonate
- Copy either the "Impersonate in Identity Panel" or "Impersonate in Service Panel" links to start the login process with an impersonated role.
- Note: When impersonating for Service Panel, you cannot simply click the impersonate link for Service Panel in the settings page. Instead, you need to copy the impersonate link into a browser tab that is already logged into Service Panel as a member of the built-in admin role.
- Once the validations are complete, log out.
- Log into Identity Panel again to return to admin permissions.
- Note: Depending on your site configuration, logging out from either Identity Panel or Service Panel after testing using impersonation will automatically log you back in with your original admin role.
How does it work?
A new URL endpoint has been introduced called "/account/impersonate/<Role to be impersonated>".
If an already logged-in user with Admin role accesses this URL, they will be logged off and redirected via a re-login URL back to "/account/impersonate/<Role to be impersonated>".
If a logged-out user with Admin role access goes to the URL, they will be logged in with a login redirect URL of "/account/impersonate/<Role to be Impersonated>".
Note: if a logged-in user who is NOT a part of the admin role goes to this URL, they will be redirected to the home page.
On login, if a user has the built-in admin role's group claim and the redirect URL matches "account/impersonate/<Role to be impersonated>", it removes the admin role's group claim from the Identity and adds the group claim of the target role to the Identity to complete the login process.
This allows the step-by-step redirect sequence of:
- Link to impersonate URL
- Logout
- Login (seeing that impersonation is requested and adjusting roles)
- Back to impersonate URL
- Redirect to home
Notes
- This feature can only be used by the built-in Admin Role.
- It can be used to impersonate any role except the Writer.
- It only works with OIDC or SAML authentication. AD-integrated authentication does not allow role override.
- The role to be impersonated MUST NOT re-use the same Entra group as other roles, including the built-in admin role.
Comments
0 comments
Please sign in to leave a comment.