app/stories/admin/ADM-006-user-impersonation.md

Impersonate Users for Support

ID: ADM-006 Priority: Low Status: Planned

User Story

As a platform administrator, I want to temporarily impersonate a user so that I can troubleshoot issues they're experiencing without asking for their credentials.

Acceptance Criteria

• Admin can initiate impersonation session for any user
• Impersonation requires confirmation and reason
• Clear visual indicator when in impersonation mode
• Admin can end impersonation and return to their session
• All actions during impersonation are logged
• User is optionally notified of impersonation
• Impersonation sessions have time limit
• Cannot impersonate other admins without super-admin

Technical Notes

• Special JWT claim to indicate impersonation
• Original admin identity preserved in token
• Audit log must capture both admin and impersonated user
• Consider "read-only" impersonation mode
• Security review required before implementation

Related TODOs

• New feature - support tooling