Impersonation plugin ==================== This plugin allows certain users to assume the identity of another user. A privileged user first logs in with its real account and can then choose another profile to appear as. This feature can be especially useful for training/learning or development platforms. .. attention:: This plugin should not be used on production instance, prefer :doc:`ContextSwitching plugin`. Configuration ------------- Just enable it in the Manager (section “plugins”) by setting a rule. Impersonation can be allowed or denied for specific users. Furthermore, specific identities like administrators or anonymous users can be protected from being impersonated. - **Parameters**: - **Use rule**: Rule to allow/deny users to impersonate or define which users may use this plugin. - **Identities use rule**: Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users - **Unrestricted users rule**: Rule to define which users can assume ALL users. ``Identities use rule`` is bypassed. - **Hidden attributes**: Attributes not displayed - **Skip empty values**: Do not use empty profile attributes - **Merge spoofed and real SSO groups**: Can be useful for administrators to keep higher privileges. "Special rule" field can be used to set SSO groups to merge if exist in real session. Multivalue ``separator`` is used. By example : ``su; admins; anonymous`` .. danger:: You HAVE TO modify **REMOTE_USER** to log both real AND spoofed uid. Set a macro like this : ``_whatToTrace`` -> ``$real__user ? "$real__user/$_user" : "$_user/$_user"`` and set ``General Parameters > Logs > REMOTE_USER`` with ``_whatToTrace`` .. attention:: Both spoofed and real session attributes can be used to set access rules, groups or macros. By example : ``$real_uid && $real_uid eq 'dwho'`` or ``$real_groups && $real_groups =~ /\bsu\b/`` Keep in mind that real session is computed first. Afterward, if access is granted, impersonated session is computed with real and spoofed session attributes if Impersonation is allowed. So, ``real_`` attributes are computed by second authentication process. To avoid Perl warnings, you have to prefix regex with ``$real_var &&``. .. attention:: By example, to prevent impersonation as 'dwho' set **Identities use rule** like : ``$uid ne 'dwho'`` impersonationPrefix is used to rename user's real profile attributes. You can set real attributes prefix ('real\_' by default) by editing ``lemonldap-ng.ini`` in section [portal]: .. code-block:: ini [portal] impersonationPrefix = real_