User impersonation for support (Enterprise)

User impersonation (Enterprise)

Enterprise plan admins can impersonate other users for troubleshooting and support.

When to use impersonation

• Reproduce a bug reported by a team member.
• Verify permissions and access for a specific role.
• Assist a user who cannot log in (without resetting their password).
• Test dashboard views as a Viewer or Editor.

How to impersonate a user

1. Go to Team → Members.
2. Find the user you want to impersonate.
3. Click the Impersonate button (mask icon).
4. Confirm the action (requires 2FA if enabled for your account).
5. You are logged in as that user. The UI shows a yellow banner: 'You are impersonating [user email]'.
6. Perform actions to diagnose the issue.
7. Click Stop impersonating in the banner to return to your own account.

What happens during impersonation

• You have the exact same permissions as the impersonated user.
• All actions are logged in the audit log with:
  • Action performed by: your email
  • Impersonated user: user's email
  • Reason: optional (entered during impersonation start)
• You cannot impersonate another admin (security restriction).
• You cannot change billing or team settings while impersonating (even if the impersonated user has those permissions).
• API tokens are not affected — your own token still identifies you, not the impersonated user.

Impersonation session timeout

Impersonation sessions automatically expire after 1 hour of inactivity. You are returned to your own account.

Audit log for impersonation

The audit log records:

• user.impersonation.started – Admin started impersonating.
• user.impersonation.stopped – Admin stopped impersonating (or auto‑timeout).
• user.impersonation.action – Any action performed while impersonating (tree edit, fact certify, etc.).

Disabling impersonation

If you want to prevent impersonation of specific roles (e.g., no impersonation of users with billing access), configure in Company Settings → Security → Impersonation restrictions.