User Impersonation

User impersonation refers to the ability of a system to temporarily grant access to another users account, typically an administrator or support staff. This feature can be extremely useful for troubleshooting, testing, or resolving user issues without the need for the original user's login credentials. And with Frontegg, you can impersonate your users easily and securely.

In this guide, you will learn about how to set up and configure user impersonation in your app. User impersonation is a powerful but potentially dangerous tool as it allows all actions inside another user’s account (including switching accounts if possible). Only give impersonation permissions to those you trust.

🚧

Prerequisites

The following versions are required to use the feature:

@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]

Enabling user impersonation

When setting up user impersonation, you can opt for one of the following options:

  1. Enabling/disabling user impersonation.
    If enabled, users with the relevant permissions will be able to perform user impersonation.
  2. Sending impersonated logs to account audit logs
    Audit logs about impersonated actions are always sent to the Frontegg Portal (Audit Trail), but if enabled, this setting will prevent them from being sent to account audit logs. (However, keep in mind that user login sessions always show impersonation).

To configure these settings, go to Authentication —> User Impersonation

Impersonating a User

To impersonate another user, go to your Backoffice --> Users tab and locate the user you want to impersonate. Click Impersonate User.

You’ll then be asked to enter why you are impersonating that user. This reason will appear in the vendor's and account audit logs (if enabled).

User Impersonation Session Timeframe

If impersonation is enabled on your app and your role permits impersonation, a session will open in a new tab, logged in as your target user with their role. The session will last a maximum of 60 minutes and can’t be extended.

Note that if keepSessionAlive equals false, the session will only last 5 minutes. To ensure 60-minute sessions, consider changing keepSessionAlive to true.

🚧

User Impersonation and Login URL

When opening an impersonation session, Frontegg will create a session with the URL specified in the environment's Login URL variable .

If you are using the Hosted login method, the Login URL should be https://[your-frontegg-domain].frontegg.com/oauth

If you are using the Embedded Login method, the Login URL should be the same as your App URL, for example: http://localhost:3000.

Impersonation on a user level

If a user is the subject of an existing impersonation session, they should see an impersonation session in their login sessions. Like any of their sessions, they can revoke that session, ending the impersonation session.

Who can impersonate users

To impersonate users, you must either have an Owner or an Impersonator role (in addition to an Admin or Backoffice Editor).