29 lines
1.0 KiB
Markdown
29 lines
1.0 KiB
Markdown
|
# Impersonate Users for Support
|
||
|
|
|
||
|
|
**ID:** ADM-006
|
||
|
|
**Priority:** Low
|
||
|
|
**Status:** Planned
|
||
|
|
|
||
|
|
## User Story
|
||
|
|
As a platform administrator, I want to temporarily impersonate a user so that I can troubleshoot issues they're experiencing without asking for their credentials.
|
||
|
|
|
||
|
|
## Acceptance Criteria
|
||
|
|
- [ ] Admin can initiate impersonation session for any user
|
||
|
|
- [ ] Impersonation requires confirmation and reason
|
||
|
|
- [ ] Clear visual indicator when in impersonation mode
|
||
|
|
- [ ] Admin can end impersonation and return to their session
|
||
|
|
- [ ] All actions during impersonation are logged
|
||
|
|
- [ ] User is optionally notified of impersonation
|
||
|
|
- [ ] Impersonation sessions have time limit
|
||
|
|
- [ ] Cannot impersonate other admins without super-admin
|
||
|
|
|
||
|
|
## Technical Notes
|
||
|
|
- Special JWT claim to indicate impersonation
|
||
|
|
- Original admin identity preserved in token
|
||
|
|
- Audit log must capture both admin and impersonated user
|
||
|
|
- Consider "read-only" impersonation mode
|
||
|
|
- Security review required before implementation
|
||
|
|
|
||
|
|
## Related TODOs
|
||
|
|
- New feature - support tooling
|