User impersonation

Impersonation lets admins act as another user temporarily—useful for support, testing permissions, and debugging.

Hanzo IAM supports two methods:

Both give you the same access as the impersonated user.

Start from the Users page: each row has an Impersonation button. Click it to switch your session to that user; the UI and permissions match theirs.

You stay in the impersonated user’s context until you exit. Hanzo IAM tracks that you’re impersonating so it can restore your admin session.

Open the user menu (top right). Choose Exit impersonation (instead of Logout) to return to your admin session.

:::tip Only administrators can impersonate; normal users do not see the impersonation button. :::

Impersonation is also available at login: set an organization master password; admins can then sign in as any user in that org by entering the master password instead of the user’s password.

On login, Hanzo IAM checks the organization’s master password first, then the user’s password. If the master password matches, login succeeds for that user without their real password.

To configure this feature, open your Organization settings and locate the Master Password field. Enter a strong password and save. From then on, use this password at the login screen with any username in that organization to sign in as that user.

:::caution Handle with care

The master password grants access to any account in your organization. Treat it like a master key - share it only with trusted administrators, store it securely in a password manager, and rotate it immediately if you suspect it's been compromised.

:::

Navigate to your organization's login page at /login/<organization_name>. Enter the target user's username and the master password instead of their personal password. Hanzo IAM authenticates you as that user, giving you their exact permissions and view of the system.

:::tip Example

For an organization called "my-company", visit https://your-iam-domain.com/login/my-company, enter the username you want to impersonate, and use the master password.

:::

Impersonation becomes valuable when you need to see the system through a user's eyes. Support teams often use it to reproduce reported issues - seeing exactly what the user sees makes debugging much faster. Testing permission configurations also benefits from impersonation, letting you verify access controls work correctly for different roles without creating test accounts.

Emergency situations sometimes require immediate access to a user's data when they're unavailable. Similarly, investigating security concerns or unusual account activity becomes more effective when navigating the system in that user's context.

Session-based impersonation requires admin privileges and creates an audit trail of who impersonated whom. The system tracks these sessions separately from normal logins, maintaining accountability.

Master password authentication doesn't distinguish between administrator impersonation and regular login in basic audit logs, since it uses the standard authentication flow. This makes session-based impersonation preferable for most scenarios.

Both methods respect multi-factor authentication settings. If a user has MFA enabled, you'll need to complete those verification steps even when impersonating.

To remove the master password option, clear the Master Password field in your Organization settings and save. This only affects password-based impersonation - the session-based method remains available to administrators regardless of master password configuration.

Organizations can set a default password assigned to newly created users, which differs from the master password used for impersonation. Password complexity rules apply to all passwords including the master password, helping maintain security standards across your organization.