The Users tab in your back office allows you to manage various aspects of your users and control their activity and metadata.

🚧

Backoffice and Your Environments

Note that Each capability is available in all the environments you are using (Development, Staging, QA, and Production). Each environment will reflect it’s own accounts and users, so the accounts and users in Development, Stating, and QA environments are probably testing accounts/users, while those in Production will be your customers, as well as possibly testing accounts/users.

You can filter your testing users by filtering your domain in the _Excluded domains _filter in the users section.

Managing users for your customer's accounts.

To begin with managing your users, go to your Environment of choice, then to BackofficeUsers.

On this screen, you can:

  • View and search users
  • Edit user and corresponding metadata
  • Edit user roles
  • Impersonate users
  • Assign user to another account
  • Lock and unlock user
  • Delete user

The Main Account is the primary account associated with the user. If a user is assigned to only one account, that is their primary account. Users can change their primary account by switching their active tenant from your application.

The Last Visit is the last time a user logged into this account. This value is updated on a regular basis.

The Daily Visits is the number of total visits for the user for all the days since the user was created. If a user visits multiple times on the same day, it is counted as only one visit. This value updates daily.

The Status indicates whether the user has verified their invitation to join the customer account by email. If you need to re-send the verification email, go to Environments ➜ Production ➜ Test ➜ Users and click the user menu for the unverified user. Select the option to resend the verification email.


📘

The accounts in Backoffice ➜ Users are the same users in Environments ➜ Production ➜ Test ➜ Users.

The page at Backoffice ➜ Users is intended for non-development teams and Environments ➜ Production ➜ Test ➜ Users is intended for development teams.

Via the user menu where you can:

  • Edit user and corresponding metadata
  • Edit user roles
  • Assign user to another account
  • Lock and unlock user
  • Delete user


📘

For additional user management options, visit Environments ➜ Production ➜ Test ➜ Users.

User impersonation

User Impersonation refers to the ability of a system to temporarily grant access to another users account, typically an administrator or support staff. This feature can be extremely useful for troubleshooting, testing, or resolving user issues without the need for the original user's login credentials. And with Frontegg, you can impersonate your users easily and securely.

In this guide, you will learn about how to set up and configure user impersonation in your app. User impersonation is a powerful but potentially dangerous tool as it allows all actions inside another user’s account (including switching accounts if possible). Only give impersonation permissions to those you trust.

Enabling user impersonation

When setting up user impersonation, you have two choices to make:

  1. Whether you want user impersonation enabled or not.
    If enabled, this doesn’t mean that anyone can use it. Only those with the right roles/permissions can use it.
  2. Whether you want to send audit logs about impersonated actions to accounts.
    Audit logs about impersonated actions are always sent to the Frontegg Portal (Audit Trail), but if enabled, this setting will prevent them from being sent to account audit logs. (However, keep in mind that user login sessions always show impersonation)

To configure these settings, go to Builder —> App Settings —> User Impersonation

Using user impersonation

To impersonate another user, all you need to do is locate the user you want to impersonate in any environment, choose which of their accounts you want to log in to, and then click “Impersonate User”.

You’ll then be asked to enter a reason you are impersonating that user. This reason will appear on vendor audit logs and account audit logs (if they are enabled).

If impersonation is enabled on your app and your role permits impersonation, a session will open in a new tab, logged in as your target user with their role. The session will last for a maximum of 60 minutes and can’t be extended.

Impersonation on a user level

If a user is the subject of an existing impersonation session, they should see an impersonation session in their login sessions. Like any of their sessions, they can revoke that session, ending the impersonation session.

Who can impersonate users

To impersonate users, you must either have an Owner role or an Impersonator role (in addition to any other role that gives you access to users).