Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Impersonation Security concerns

Written By

Tibor Szucs

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • Impersonation is a powerful feature of Liferay. This article serves to answer the following questions regarding its security. 
  1. Who triggers the impersonation request?
  2. How long that kind of access will be used?
  3. What audit controls are in place for the use of this feature?
  4. How you control and assure the feature is just used by the authorized person?

Environment

  • DXP 7.2+

Resolution

  • Who can trigger the impersonation request?

    How we control and assure the feature is just used by the authorized person for the authorized ends?

    The answer to both of these questions are similar, so I will answer them together. 
    This feature is only available for users that have the correct permissions. You can find out what roles have permission to use this feature under Control panel -> Users and Organizations -> Roles -> Select a role you want to review -> Define permissions
    From the categories select Control panel -> Users and Organizations -> Users ​ and under Resource permissions Impersonate​ should be there. Users who use a role that allows them to impersonate will be able to use this feature. 

  • What audit controls are in place for the use of this feature?

    Under Control Panel -> Configuration -> Audit​ you can see if an IMPERSONATION​ request has been sent. If you click on this event you will be able to see the user that initiated the impersonation request and the impersonated user's username and id in the additional information field. 

  • How long that kind of access will be used?

    There is no time restriction on how long can this access be used. Once the person who initiated the request decides that the impersonation is no longer needed, that is when the impersonation ends. 

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?