Test Security Settings by Impersonation

Documentation
This topic is under construction for the 17.3 release of LabKey Server. For current documentation of this feature, click here. A site or project administrator can test security settings by impersonating a user, group, or role. A project administrator's access to impersonating is limited to the current project; a site administrator can impersonate site wide.

Impersonate a User

Impersonating a user is useful for testing a specific user's permissions or assisting a user having trouble on the site.

  • Select (User) > Impersonate > User
  • Select a user from the dropdown and click Impersonate

You are now viewing the site as the user you selected, with only the permissions granted to that user. When you reopen the menu, you will see the name of the user you are impersonating.

Impersonate a Group

Impersonating a security group is useful for testing the permissions granted to that group.

  • Select (User) > Impersonate > Group
  • Select a group from the dropdown and click Impersonate

You are now impersonating the selected group, which means you only have the permissions granted to this group. You are still logged in as you, so your display name appears in the menu, and you can still edit documents you own (e.g., the reports, messages, wikis, and issues you have created).

Is it Possible to Impersonate the "Guests" Group?

Note that the "Guests" group (those users who are not logged into the server) does not appear in the dropdown for impersonating a group. This means you cannot directly impersonate a non-logged in user. But you can see the server through a Guests eyes by logging out of the server yourself. When you log out of the server, you are seeing what the Guests will see. When comparing the experience of logged-in (Users) versus non-logged-in (Guests) users, you can open two different browsers, such as Chrome and Firefox: login in one, but remain logged out in the other.

Impersonate Roles

Impersonating security roles is useful for testing how the system responds to those roles. This is typically used when developing or testing new features, or by administrators who are curious about how features behave.

  • Select (User) > Impersonate > Roles
  • Select one or more roles in the list box and click Impersonate

You are now impersonating the selected role(s), which means you receive only the permissions granted to the role(s). As with impersonating a group, you are still logged in as you, so your display name appears in the menu and you can still edit documents you own.

In some cases you'll want to impersonate multiple roles simultaneously. For example, when testing specialized roles such as Specimen Requester or Assay Designer, you would typically add Reader (or another role that grants read permissions), since the specialized roles don't include read permissions themselves.

Stop Impersonating

To return to your own account, click the Stop Impersonating button in the header, or select (User) > Stop Impersonating.

Project-Level Impersonation

When any admin impersonates a user from the project users page, the administrator sees the perspective of the impersonated user within the current project. All projects that the impersonated user may have access to outside the current project are invisible while in impersonation mode. For example, when impersonating a project-scoped group, a project administrator who navigates outside the project will have limited permissions (having only the permissions that Guests and All Site Users have). Site admins who want to impersonate a user across the entire site can do so from the site users page or the admin console.

A project impersonator sees all permissions granted to the user's site and project groups. However, a project impersonator never receives authorization from the user's global roles (currently site admin and developer) -- they are always disabled.

Logging of Impersonations

The audit log includes an "Impersonated By" column. This column is typically blank, but when an administrator performs an auditable action while impersonating a user, the administrator's display name appears in that column.

Discussion

previousnext
 
expand all collapse all