A site or project administrator can test security settings by impersonating a user, group, or role
. A project administrator's access to the site is limited to the current project during impersonation.
Impersonate a User:
Impersonating a user is useful for testing a specific user's permissions or assisting a user having trouble on the site.
- Select [user account link] > Impersonate > User
- Select a user from the dropdown and click Impersonate
You are now viewing the site as the user you selected. For example, the user's display name appears in the upper right corner of your screen and the only permissions you receive are those granted to that user.
Impersonate a Group:
Impersonating a security group is useful for testing the permissions granted to that group.
- Select [user account link] > Impersonate > Group
- Select a group from the dropdown and click Impersonate
You are now impersonating the selected group, which means your permissions are consistent with belonging only to this group. You are still logged in as you, so your display name appears in the upper right and you can still edit documents you own (e.g., the reports, messages, wikis, and issues you have created).
Is it Possible to Impersonate the "Guests" Group?
Note that the "Guests" group (those users who are not logged into the server) does not
appear in the dropdown for impersonating a group. This means you cannot directly impersonate a non-logged in user. But you can see the server through a Guests eyes by logging out of the server yourself. When you log out of the server, you are seeing what the Guests will see. When comparing the experience of logged-in (Users) versus non-logged-in (Guests) users, it is often convenient to use two different browser types, such as Chrome and Firefox: login using one browser, but remain logged out use the other browser.
Impersonating security roles is useful for testing how the system responds to those roles. This is typically used when developing or testing new features, or by administrators who are curious about how features behave.
- Select [user account link] > Impersonate > Roles
- Select one or more roles in the list box and click Impersonate
You are now impersonating the selected role(s), which means you receive only the permissions granted to the role(s). As with impersonating a group, you are still logged in as you, so your display name appears in the upper right and you can still edit documents you own.
In some cases you'll want to impersonate multiple roles simultaneously. For example, when testing specialized roles such as Specimen Requester or Assay Designer, you would typically add Reader (or another role that grants read permissions), since the specialized roles don't include read permissions themselves.
To return to your own account, click [user account link] > Stop Impersonating
When any admin impersonates a user from the project users page, the administrator sees the perspective of the impersonated user within the current project. All projects that the impersonated user may have access to outside the current project are invisible while in impersonation mode. For example, when impersonating a project-scoped group, a project administrator who navigates outside the project will have limited permissions (having only the permissions that Guests and All Site Users have). Site admins who want to impersonate a user across the entire site can do so from the site users page or the admin console.
A project impersonator sees all permissions granted to the user's site and project groups. However, a project impersonator never
receives authorization from the user's global roles (currently site admin and developer) -- they are always disabled.
Logging of Impersonations
The audit log includes an "Impersonated By" column. This column is typically blank, but when an administrator performs an auditable action while impersonating a user, the administrator's display name appears in that column.