Impersonation plugin ==================== This plugin allows certain users to assume the identity of another user. A privileged user first logs in with its real account and can then choose another profile to appear as. This feature can be especially useful for training/learning or development platforms. .. important:: This plugin should not be used on production instance, prefer :doc:`ContextSwitching plugin`. Configuration ------------- Just enable it in the Manager (section “plugins”) by setting a rule. Impersonation can be allowed or denied for specific users. Furthermore, specific identities like administrators or anonymous users can be protected from being impersonated. - **Parameters**: - **Use rule**: Rule to allow/deny users to impersonate or define which users may use this plugin. - **Identities use rule**: Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users - **Hidden attributes**: Attributes not displayed - **Skip empty values**: Do not use empty profile attributes - **Merge spoofed and real SSO groups**: Can be useful for administrators to keep higher privileges. "Special rule" field can be used to set SSO groups to merge if exist in real session. Multivalue ``separator`` is used. By example : ``su; admins; anonymous`` .. warning:: You HAVE TO modify **REMOTE_USER** to log both real AND spoofed uid. Set a macro like this : '' \_whatToTrace -> $real__user ? "$real__user/$_user" : "$_user/$_user" '' and set ``Genaral Parameters > Logs > REMOTE_USER`` with '' \_whatToTrace '' .. important:: Both spoofed and real session attributes can be used to set access rules, groups or macros. By example : ``$real_uid eq 'dwho``' or ``$real_groups =~ /\bsu\b/`` Keep in mind that real session is computed first. Afterward, if access is granted, impersonated session is computed with real and spoofed session attributes if Impersonation is allowed. .. important:: By example, to prevent impersonation as 'dwho' set **Identities use rule** like : '' $uid ne 'dwho' '' impersonationPrefix is used to rename user's real profile attributes. You can set real attributes prefix ('real\_' by default) by editing ``lemonldap-ng.ini`` in section [portal]: .. code:: ini [portal] impersonationPrefix = real_