diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
index 66af8c0f0..2631a484e 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
@@ -271,14 +271,14 @@ sub check {
         }
 
         # Check identities rule
+        $self->logger->info("\"$user\" is an unrestricted user!") if $unUser;
         unless ( $unUser || $self->idRule->( $req, $attrs ) ) {
             $self->userLogger->warn(
                 "checkUser requested for an unvalid user ($user)");
             $req->{sessionInfo} = {};
             $self->logger->debug('Identity not authorized');
-            $req->error(PE_BADCREDENTIALS);
+            $req->error(PE_BADCREDENTIALS); # Catch error to preserve protected Id
         }
-        $self->logger->info("\"$user\" is an unrestricted user!") if $unUser;
     }
 
     if ( $req->error ) {
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm
index db106e3f3..003b5ccb7 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ContextSwitching.pm
@@ -14,7 +14,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
   PE_IMPERSONATION_SERVICE_NOT_ALLOWED
 );
 
-our $VERSION = '2.0.8';
+our $VERSION = '2.0.9';
 
 extends qw(
   Lemonldap::NG::Portal::Main::Plugin
@@ -36,6 +36,7 @@ has ott => (
 );
 has rule   => ( is => 'rw', default => sub { 0 } );
 has idRule => ( is => 'rw', default => sub { 1 } );
+has unrestrictedUsersRule     => ( is => 'rw', default => sub { 0 } );
 
 sub init {
     my ($self) = @_;
@@ -59,6 +60,14 @@ sub init {
     );
     return 0 unless $self->idRule;
 
+    $self->unrestrictedUsersRule(
+        $self->p->buildRule(
+            $self->conf->{contextSwitchingUnrestrictedUsersRule},
+            'contextSwitchingUnrestrictedUsers'
+        )
+    );
+    return 0 unless $self->unrestrictedUsersRule;
+
     return 1;
 }
 
@@ -133,6 +142,7 @@ sub run {
     my $statut  = PE_OK;
     my $realId  = $req->{user};
     my $spoofId = $req->param('spoofId') || '';    # ContextSwitching required ?
+    my $unUser = $self->unrestrictedUsersRule->( $req, $req->userData ) || 0;
 
     # Check token
     if ( $self->ottRule->( $req, {} ) ) {
@@ -173,7 +183,7 @@ sub run {
     }
 
     # Create spoofed session
-    $req = $self->_switchContext( $req, $spoofId );
+    $req = $self->_switchContext( $req, $spoofId, $unUser );
     $statut =
       ( $req->error == PE_BADCREDENTIALS ? PE_MALFORMEDUSER : $req->error )
       if $req->error;
@@ -187,7 +197,7 @@ sub run {
 }
 
 sub _switchContext {
-    my ( $self, $req, $spoofId ) = @_;
+    my ( $self, $req, $spoofId, $unUser ) = @_;
     my $realSessionId = $req->userData->{_session_id};
     my $realAuthLevel = $req->userData->{authenticationLevel};
     my $realId        = $req->{user};
@@ -213,8 +223,9 @@ sub _switchContext {
         $raz = 1;
     }
 
-    # Check identity rule if ContextSwitching required
-    unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
+    # Check identities rule if ContextSwitching required
+    $self->logger->info("\"$realId\" is an unrestricted user!") if $unUser;
+    unless ( $unUser || $self->idRule->( $req, $req->sessionInfo ) ) {
         $self->userLogger->warn(
                 'ContextSwitching requested for an unvalid user ('
               . $req->{user}
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
index 09c92e3c7..175d67630 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
@@ -131,7 +131,7 @@ sub run {
     if ( $req->error ) {
         $self->setSecurity($req);
         if ( $req->error == PE_BADCREDENTIALS ) {
-            $statut = PE_BADCREDENTIALS;
+            $statut = PE_BADCREDENTIALS; # Catch error to preserve protected Id
         }
         else {
             return $req->error;
@@ -200,9 +200,8 @@ sub run {
 sub _userData {
     my ( $self, $req, $spoofId, $realSession, $unUser ) = @_;
     my $realId = $req->{user};
-    $self->logger->info("\"$realId\" is an unrestricted user!") if $unUser;
-    $req->{user} = $spoofId;
     my $raz = 0;
+    $req->{user} = $spoofId;
 
     # Compute Macros and Groups with real and spoof sessions
     $req->sessionInfo($realSession);
@@ -224,8 +223,9 @@ sub _userData {
         $raz = 1;
     }
 
-    # Check identity rule if Impersonation required
+    # Check identities rule if Impersonation required
     if ( $realId ne $spoofId ) {
+        $self->logger->info("\"$realId\" is an unrestricted user!") if $unUser;
         unless ( $unUser || $self->idRule->( $req, $req->sessionInfo ) ) {
             $self->userLogger->warn(
                     'Impersonation requested for an unvalid user ('