"Become" Another User to Check Their Permissions by Using "Masquerade"


Complexity Level: Beginner

This is a beginner topic. Little to no advanced knowledge is required.

Permission Level

Overview

When a user on your site is having trouble, sometimes it is helpful to "become" them-- that is, temporarily impersonate their account-- to help you troubleshoot the difficulty. The web team uses this functionality all the time to ensure permissions are correct, or to fix incorrect settings.

Like the web team, unit administrators can temporarily impersonate other site users with Drupal's "Masquerade" functionality.

Note, "Masquerading" as someone does not give you access to their passwords and does not go beyond the realm of your site. For example, impersonating a faculty member who has an account on your Drupal site does not mean you can access their personal email, their personal website, or any other UGA application that they use. 

Other Helpful Documentation

Before we begin, here's a doc to learn about roles and permissions. I also recommend another one called Seeing Who Has Access to Your Site which will talk about the user accounts list, mentioned in this doc.

This document will show you how to impersonate an account, but you won't be able to add user accounts or change permissions; it's a security risk. For that, you'll need to put in a ticket to the web team on the Franklin Helpdesk

Table of Contents

Step One: Find the User Accounts List

Click on the "Shortcuts" link. 

The white admin toolbar will change. 


Click on the "View user accounts" link.


This will allow you to see all people who have an account on your website.

For more about this, read our Knowledge Base article about called seeing who has access to your site.

Notice the field at the top called "Masquerade." In my example, I'm going to pretend that one of my web committee members, Zora Neale Hurston, wants to be sure she can create Basic Pages on my site. I'm going to "become" her account as a way to check her permissions. 

Step Two: If Needed, Figure out Their Username

If you aren't sure what someone's account is, you can search for their username. Check out our doc on Seeing Who Has Access to Your Site.

Step Three: Type All or Part of Their Username in the Field

Zora's myID and username on the site is "zhurston."

In the Masquerade field, I'm going to begin typing "zhurston." I  notice the field auto completes. 

I'll go ahead and click her name.

Now I can hit the "switch" button.

Step Four: Click Around and Check Permissions

Once I switch to her account, I get a "403 Error - Access Denied." This is ok. 

It makes sense because Zora's permissions as a web committee member shouldn't allow her to view this user accounts page that I can see.

Notice at the top that the account name says "zhurston" now instead of "lblais."

On the white toolbar, I see the things that a person with a web committee role can do-- manage the main menu and add content.

When I click "add content," everything looks normal. Depending on the issue your user is having, you might want to test further by actually creating a Basic Page.

Step Five: Unmasquerading and Becoming Yourself Again

I can "Unmasquerade" and become myself at any time.

When I click "unmasquerade," I become myself-- "lblais"-- again, and all my regular permissions are restored.

Masquerading as Someone with a Personnel Role

You can also "masquerade" as users with the personnel account.

Notice that this account has less permissions than Zora who had the web committee role. I can only click on "content" or go back to the main site and find my personnel page.

'


When I click on content, I can see a list of content, but can't do anything with content that isn't mine.

Can Personnel Delete Content?

If you notice the "delete content" drop down under  "action," this might cause you some worry for the person who has this account.

Because it seems like it is possible for them to delete any content on the site, like Julie McEver's personnel page shown below.

But if you as this test-personnel user were to hit "apply to selected items," you would actually be stopped from deleting the content.

Web committee members and unit administrators do have the power to delete content, so be careful as you are testing permissions, lest you remove something on accident.

Hit "unmasquerade" to become yourself again.


Login Assistance

To manage any part of your web site, you will have to be logged into the Drupal CMS.

If you need help logging in, please review this login help document. 


Contact the Franklin OIT Help Desk

Hours of Operation

Monday - Friday

8:00 a.m. - 5:00 p.m.

Website Information

Homepage & Directory

http://oit.franklin.uga.edu

Service Offerings

IT Services

Systems Status Information

Franklin OIT Status

http://status.franklin.uga.edu/

Receive or Discontinue Status and Service Updates from Franklin OIT

UGA/EITS Systems Status Pages

http://status.uga.edu

https://twitter.com/uga_eits

https://www.facebook.com/uga.eits

USG Systems Status Page

http://status.usg.edu