Skip to main content
Version: 8.2411.x.x RR

Technical users and impersonation

Technical users are special users (usually technical clients and automatic processes) that have certain restrictions and additional features compared to a normal user:

  • A technical user is defined as such during creation. This can never be changed.
  • Technical users can have at most one profile.
  • Technical users can inherit special technical roles.
  • Default authorizations defined in a default profile policy are not applied to technical users during their creation. This affects direct authorizations and enterprise authorizations.

Older nevisIDM versions (<2.20.0.0) covered the same, but not that advanced feature by means of the IdmImpersonateState and the TechUser role. This is deprecated and we recommend migrating to technical users with the role "Impersonator".

By impersonating another user, a technical user takes over the username, profile and some roles of the specified end user. The impersonator can thus act on behalf of the end user transparently for applications that are not aware of impersonation.

  • Users with the technical role "Impersonator" can impersonate. Per default only technical users can impersonate, but even non-technical users can be allowed to impersonate by means of the global configuration parameter application.feature.impersonation.restriction.enabled.
  • Only users with one profile can impersonate other users.
  • Only non-technical users can be impersonated.
  • The impersonator only gains on behalf of application roles for whose application data room he was authorized. This does not apply to nevisIDM roles as they can never be inherited.
  • The impersonator only gains on behalf of enterprise roles for whose enterprise role data room he was authorized.
  • A user can impersonate target users only from clients and units he is authorized for.
  • The impersonator gains access on behalf of enterprise roles as well.

Example

We have a technical user with the roles App1.Role1 and App2.Role2 and an end user with the roles nevisIDM.SelfAdmin, App1.Role3 and App3.Role4. If the technical user impersonates the end user, he will only have the role App1.Role3 (because they share the common application data room App1).

In nevisAuth, impersonation is performed in the IdmGetPropertiesState. Refer to the corresponding chapter in the nevisAuth reference guide for further information.