User Impersonation

User impersonation refers to the ability of a system to temporarily grant access to another users account, typically an administrator or support staff. This feature can be extremely useful for troubleshooting, testing, or resolving user issues without the need for the original user's login credentials. And with Frontegg, you can impersonate your users easily and securely.

In this guide, you will learn about how to set up and configure user impersonation in your app. User impersonation is a powerful but potentially dangerous tool as it allows all actions inside another user’s account (including switching accounts if possible). Only give impersonation permissions to those you trust.

🚧

Prerequisites

The following versions are required to use the feature:

@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]

Enabling user impersonation

When setting up user impersonation, you have two choices to make:

  1. Whether you want user impersonation enabled or not.
    If enabled, this doesn’t mean that anyone can use it. Only those with the right roles/permissions can use it.
  2. Whether you want to send audit logs about impersonated actions to accounts.
    Audit logs about impersonated actions are always sent to the Frontegg Portal (Audit Trail), but if enabled, this setting will prevent them from being sent to account audit logs. (However, keep in mind that user login sessions always show impersonation)

To configure these settings, go to Builder —> App Settings —> User Impersonation

Using user impersonation

To impersonate another user, all you need to do is locate the user you want to impersonate in any environment, choose which of their accounts you want to log in to, and then click “Impersonate User”.

You’ll then be asked to enter a reason you are impersonating that user. This reason will appear on vendor audit logs and account audit logs (if they are enabled).

If impersonation is enabled on your app and your role permits impersonation, a session will open in a new tab, logged in as your target user with their role. The session will last for a maximum of 60 minutes and can’t be extended.

🚧

User Impersonation and Login URL

When opening an impersonation session, Frontegg will create a session with the URL specified in the environment's Login URL variable .

If you are using the Hosted login method, the Login URL should be https://[your-frontegg-domain].frontegg.com/oauth

If you are using the Embedded Login method, the Login URL should be the same as your App URL, for example: http://localhost:3000.

Impersonation on a user level

If a user is the subject of an existing impersonation session, they should see an impersonation session in their login sessions. Like any of their sessions, they can revoke that session, ending the impersonation session.

Who can impersonate users

To impersonate users, you must either have an Owner role or an Impersonator role (in addition to Admin or Backoffice Editor).