Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:impersonation [2019/05/04 13:24]
cmaudoux [Configuration]
documentation:latest:impersonation [2019/07/02 23:28] (current)
Line 1: Line 1:
 ====== Impersonation plugin ====== ====== Impersonation plugin ======
  
-This plugin allows ​us to use identity of another user. User have to log in with its real account and can choose ​to use an another profile. ​Can be useful for training/​learning or development platforms. ​+This plugin allows ​certain users to assume the identity of another user. A privileged user first logs in with its real account and can then choose another profile ​to appear asThis feature can be especially ​useful for training/​learning or development platforms. 
 + 
 +<note important>​This plugin should not be used on production instance, prefer [[contextswitching|ContextSwitching plugin]].</​note>​
  
 ===== Configuration ===== ===== Configuration =====
  
-Just enable it in the Manager (section “plugins”) by setting a rule. Impersonation can be allowed or denied for specific users. Furthermore,​ specific identities like administrators or anonymous users can be forbidden to impersonate.+Just enable it in the Manager (section “plugins”) by setting a rule. Impersonation can be allowed or denied for specific users. Furthermore,​ specific identities like administrators or anonymous users can be protected from being impersonated.
  
   * **Parameters**:​   * **Parameters**:​
-    * **Use rule**: ​Allow or deny only specific ​users to use this plugin +    * **Use rule**: ​Select which users may use this plugin 
-    * **Identities use rule**: Rule to define which identities can be spoofed. Useful to prevent impersonation ​with specific ​identities like CEO, administrators or anonymous/​protected users+    * **Identities use rule**: Rule to define which identities can be assumed. Useful to prevent impersonation ​of certain sensitive ​identities like CEO, administrators or anonymous/​protected users.
-    * **Real attributes prefix**: Prefix use to rename user real profile attributes.+
     * **Hidden attributes**:​ Attributes not displayed     * **Hidden attributes**:​ Attributes not displayed
     * **Skip empty values**: Do not use empty profile attributes     * **Skip empty values**: Do not use empty profile attributes
-    * **Merge spoofed and real SSO groups**: Can be useful for administrators to keep higher privileges+    * **Merge spoofed and real SSO groups**: Can be useful for administrators to keep higher privileges. "​Special rule" field can be used to set SSO groups to merge if exist in real session. Multivalue ''​separator''​ is used. By example : ''​su;​ admins; anonymous''​
  
 <note warning> <note warning>
Line 20: Line 21:
 Set a macro like this :  Set a macro like this : 
  
-''​ <​nowiki>​_whatToTrace -> $real__user ? "​$real__user / $_user"​ : $_user / $_user</​nowiki>​ ''​+''​ <​nowiki>​_whatToTrace -> $real__user ? "​$real__user/​$_user"​ : "$_user/​$_user"</​nowiki>​ ''​
  
 and set ''​Genaral Parameters > Logs > REMOTE_USER''​ with ''​ _whatToTrace ''​ and set ''​Genaral Parameters > Logs > REMOTE_USER''​ with ''​ _whatToTrace ''​
Line 35: Line 36:
  
 <note important>​ <note important>​
-By example, to prevent impersonation ​with '​dwho'​ set **Identities use rule** like : +By example, to prevent impersonation ​as '​dwho'​ set **Identities use rule** like : 
  
 ''​ $uid ne '​dwho'​ ''​ ''​ $uid ne '​dwho'​ ''​
  
 </​note>​ </​note>​
 +
 +impersonationPrefix is used to rename user's real profile attributes. You can set real attributes prefix ('​real_'​ by default) by editing ''​lemonldap-ng.ini''​ in section [portal]:
 +
 +<file ini>
 +[portal]
 +impersonationPrefix = real_
 +</​file>​
 +