Impersonation safeguards

Sometimes the only way to debug a customer issue is to see what they're seeing. TSNC's impersonation feature lets a platform admin do that โ€” with hard guardrails so it can never be used to harm the customer.

What impersonation does

From a user's page in the platform admin tools, hit Impersonate. You assume that user's session. You see what they see. You can navigate around the app as them, identify the bug, and end impersonation when done.

Impersonation is the support tool of last resort. Most issues can be solved by reading the audit log, asking the customer to reproduce on a screenshare, or writing a debugging script. Impersonate when those have failed.

The hard guardrails

Even while impersonating a user, certain actions are completely blocked. These aren't suggestions โ€” they're enforced at the API level, on every endpoint, and they cannot be overridden by any platform admin role.

Vault is fully blocked during impersonation

  • All 32 password vault API endpoints refuse to respond when the requester is impersonating
  • The vault UI shows a clear "Impersonating โ€” vault locked" banner
  • You cannot read, modify, share, or delete any password while impersonating
  • This applies even if the impersonated user has presented MFA
โœ๏ธ
Why vault is blocked
The single biggest abuse vector for impersonation features at password managers is "support agent reads customer's vault." We removed that vector entirely. If a customer asks for password help that requires vault access, the answer is "recover via your org admin and their escrow key" โ€” not "let me impersonate and see what's in there."

Impersonation tokens carry no admin privileges

When you impersonate, your session takes on the impersonated user's privileges โ€” NOT yours. If the user is a basic teacher, you have teacher-level access. If they're a principal, you have principal-level access. Your platform admin powers do NOT carry into the impersonated session.

Net effect: you cannot escalate by impersonating a low-privilege user and somehow gaining higher-privilege actions. The impersonation flattens you to whoever you're impersonating.

Every action is logged with your identity

While impersonating, every API call is recorded in the audit log with TWO identities: the impersonated user (whose session you're using) and you (the platform admin doing it). Both are visible. There is no "hidden impersonation" โ€” it's designed to leave a clear trail.

The user can see when they were impersonated

Users can view the audit log of actions on their own account. Impersonation events appear there with the platform admin's name and timestamp. We're transparent with customers that this feature exists and that it leaves a paper trail they can read.

Starting an impersonation

  1. 1
    Find the user in All Users
    Search by email or name.
  2. 2
    Click their profile, then Impersonate
    Confirm the action. You'll be redirected to their session.
  3. 3
    See the persistent banner
    A red banner stays at the top of every page reminding you that you're impersonating, and listing the user's email. The banner has an "End impersonation" button.
  4. 4
    Do your debugging
    Navigate as the user would. Reproduce the bug. Take notes (NOT screenshots โ€” never screenshot a customer's session).
  5. 5
    End impersonation
    Always end the session explicitly. Don't just close the tab. The audit log records the start AND end times.
โš ๏ธ
Best practices
  • Get explicit consent from the customer before impersonating, when possible
  • Limit impersonation to the minimum time needed (under 10 minutes is healthy)
  • Don't take notes that include personal info (names of contacts, calendar events, etc.)
  • Don't click destructive buttons (deactivate, delete) even if they're asking you to
  • If you need to make a change, do it from your own platform admin tools, not from inside impersonation

FAQ

Can a customer disable impersonation for their account?+
Currently no โ€” impersonation is part of the support contract for every account. We're considering an enterprise-tier opt-out for dioceses with strict policies. The trade-off is real: turning it off makes some support tickets dramatically harder to resolve.
What happens if I forget to end impersonation?+
Sessions auto-expire after 30 minutes of inactivity in impersonation mode (vs. the standard 7-day session length). The audit log captures the timeout. So if you walk away from your laptop, the worst that happens is a 30-minute gap in the audit trail before the session ends.
Can I impersonate a platform admin?+
No โ€” platform admins cannot be impersonated by other platform admins. This prevents the "chained impersonation" attack where one compromised platform admin uses impersonation to gain another's identity.
โ† Previous
Platform admin overview
Next โ†’
Scanner accounts