Version
Google Translate
Contributors Edit (4/13/2025)
Avatar

Tenant impersonation & User impersonation

User impersonation allows you to temporarily sign in as a different user in your tenant's users. This article introduces how to enable impersonation in VCP. Impersonation is enabled by defautl in VCP v5.0 and above.

Introduction

In some cases, users need to sign in as another user and perform operations on behalf of the target user without sharing the target user's password.

How to enable impersonation feature?

If your VCP version is lower than 5.0, you can implement the impersonation feature by following the steps below.

Please remember to configure the ImpersonationTenantPermission and ImpersonationUserPermission permissions!!!

MVC

public override void ConfigureServices(ServiceConfigurationContext context)
{
    var configuration = context.Services.GetConfiguration();

    //For impersonation in Saas module
    context.Services.Configure<VcpSaasHostWebOptions>(options =>
    {
        options.EnableTenantImpersonation = true;
    });

    //For impersonation in Identity module
    context.Services.Configure<VcpIdentityWebOptions>(options =>
    {
        options.EnableUserImpersonation = true;
    });

    context.Services.Configure<VcpAccountOptions>(options =>
    {
        //For impersonation in Saas module
        options.TenantAdminUserName = "admin";
        options.ImpersonationTenantPermission = SaasHostPermissions.Tenants.Impersonation;

        //For impersonation in Identity module
        options.ImpersonationUserPermission = IdentityPermissions.Users.Impersonation;
    });
}

MVC Tiered

AuthServer

  1. Depends VcpAccountPublicWebImpersonationModule(Verto.Vcp.Account.Pro.Public.Web.Impersonation) and SaasHostApplicationContractsModule on your AuthServerModule
  2. Configure the VcpAccountOptions.
public override void ConfigureServices(ServiceConfigurationContext context)
{
    context.Services.Configure<VcpAccountOptions>(options =>
    {
        //For impersonation in Saas module
        options.TenantAdminUserName = "admin";
        options.ImpersonationTenantPermission = SaasHostPermissions.Tenants.Impersonation;

        //For impersonation in Identity module
        options.ImpersonationUserPermission = IdentityPermissions.Users.Impersonation;
    });
}

HttpApi.Host

No need to do anything here.

Web

  1. Depends VcpAccountPublicWebImpersonationModule(Verto.Vcp.Account.Pro.Public.Web.Impersonation) on your WebModule
  2. Change the base class of AccountController to VcpAccountImpersonationChallengeAccountController
public class AccountController : VcpAccountImpersonationChallengeAccountController
{

}
  1. Add ImpersonationViewComponent to \Components\Toolbar\Impersonation folder
public class ImpersonationViewComponent : VcpViewComponent
{
    public virtual IViewComponentResult Invoke()
    {
        return View("~/Components/Toolbar/Impersonation/Default.cshtml");
    }
}

@using Microsoft.AspNetCore.Mvc.Localization
@using Verto.Vcp.Account.Localization
@inject IHtmlLocalizer<AccountResource> L
<form method="post" data-ajaxForm="false" action="~/Account/BackToImpersonator">
    @Html.AntiForgeryToken()
    <button type="submit" class="btn text-danger" data-bs-toggle="tooltip" data-bs-placement="left" title="@L["BackToImpersonator"]">
        <i class="fa fa-undo"></i>
    </button>
</form>
  1. Add ImpersonationViewComponent to ToolbarContributor.
if (context.ServiceProvider.GetRequiredService<ICurrentUser>().FindImpersonatorUserId() != null)
{
    context.Toolbar.Items.Add(new ToolbarItem(typeof(ImpersonationViewComponent), order: -1));
}
  1. Configure VcpSaasHostWebOptions and VcpIdentityWebOptions
public override void ConfigureServices(ServiceConfigurationContext context)
{
    var configuration = context.Services.GetConfiguration();

    //For impersonation in Saas module
    context.Services.Configure<VcpSaasHostWebOptions>(options =>
    {
        options.EnableTenantImpersonation = true;
    });

    //For impersonation in Identity module
    context.Services.Configure<VcpIdentityWebOptions>(options =>
    {
        options.EnableUserImpersonation = true;
    });
}

Blazor Server

  1. Depends VcpAccountPublicWebImpersonationModule(Verto.Vcp.Account.Pro.Public.Web.Impersonation) and VcpAccountPublicBlazorServerModule(Verto.Vcp.Account.Pro.Public.Blazor.Server) on your BlazorModule
  2. Configure SaasHostBlazorOptions and VcpAccountOptions
public override void ConfigureServices(ServiceConfigurationContext context)
{
    var configuration = context.Services.GetConfiguration();

    //For impersonation in Saas module
    context.Services.Configure<SaasHostBlazorOptions>(options =>
    {
        options.EnableTenantImpersonation = true;
    });

    //For impersonation in Identity module
    context.Services.Configure<VcpIdentityProBlazorOptions>(options =>
    {
        options.EnableUserImpersonation = true;
    });

    context.Services.Configure<VcpAccountOptions>(options =>
    {
        //For impersonation in Saas module
        options.TenantAdminUserName = "admin";
        options.ImpersonationTenantPermission = SaasHostPermissions.Tenants.Impersonation;

        //For impersonation in Identity module
        options.ImpersonationUserPermission = IdentityPermissions.Users.Impersonation;
    });
}

Blazor Server Tiered

AuthServer

  1. Depends VcpAccountPublicWebImpersonationModule(Verto.Vcp.Account.Pro.Public.Web.Impersonation) and SaasHostApplicationContractsModule on your AuthServerModule
  2. Configure the VcpAccountOptions.
public override void ConfigureServices(ServiceConfigurationContext context)
{
    context.Services.Configure<VcpAccountOptions>(options =>
    {
        //For impersonation in Saas module
        options.TenantAdminUserName = "admin";
        options.ImpersonationTenantPermission = SaasHostPermissions.Tenants.Impersonation;

        //For impersonation in Identity module
        options.ImpersonationUserPermission = IdentityPermissions.Users.Impersonation;
    });
}

HttpApi.Host

No need to do anything here.

Blazor

  1. Depends VcpAccountPublicWebImpersonationModule(Verto.Vcp.Account.Pro.Public.Web.Impersonation) and VcpAccountPublicBlazorServerModule(Verto.Vcp.Account.Pro.Public.Blazor.Server) on your BlazorModule

  2. Change the base class of AccountController to VcpAccountImpersonationChallengeAccountController

public class AccountController : VcpAccountImpersonationChallengeAccountController
{

}
  1. Configure SaasHostBlazorOptions and VcpAccountOptions
public override void ConfigureServices(ServiceConfigurationContext context)
{
    //For impersonation in Saas module
    context.Services.Configure<SaasHostBlazorOptions>(options =>
    {
        options.EnableTenantImpersonation = true;
    });

    //For impersonation in Identity module
    context.Services.Configure<VcpIdentityProBlazorOptions>(options =>
    {
        options.EnableUserImpersonation = true;
    });
}

Angular

Add Impersonation to the Angular grant types.

//Console Test / Angular Client
var consoleAndAngularClientId = configurationSection["MyProjectName_App:ClientId"];
if (!consoleAndAngularClientId.IsNullOrWhiteSpace())
{
    var consoleAndAngularClientRootUrl = configurationSection["MyProjectName_App:RootUrl"]?.TrimEnd('/');
    await CreateApplicationAsync(
        name: consoleAndAngularClientId,
        type: OpenIddictConstants.ClientTypes.Public,
        consentType: OpenIddictConstants.ConsentTypes.Implicit,
        displayName: "Console Test / Angular Application",
        secret: null,
        grantTypes: new List<string>
        {
            OpenIddictConstants.GrantTypes.AuthorizationCode,
            OpenIddictConstants.GrantTypes.Password,
            OpenIddictConstants.GrantTypes.ClientCredentials,
            OpenIddictConstants.GrantTypes.RefreshToken,
            "LinkLogin",
            "Impersonation"
        },
        scopes: commonScopes,
        redirectUri: consoleAndAngularClientRootUrl,
        postLogoutRedirectUri: consoleAndAngularClientRootUrl,
        clientUri: consoleAndAngularClientRootUrl,
        logoUri: "/images/clients/angular.svg"
    );
}

Add impersonation: { userImpersonation: true, tenantImpersonation: true} object to oAuthConfig of environment if not exits.

export const environment = {
  //Other props..
  oAuthConfig: {
    //Other props..
    impersonation: {
      userImpersonation: true,
      tenantImpersonation: true,
    },
  },

Blazor WASM

It is currently not supported.

Microservice

AuthServer

  1. Depends VcpAccountPublicWebImpersonationModule(Verto.Vcp.Account.Pro.Public.Web.Impersonation) and SaasHostApplicationContractsModule on your AuthServerModule
  2. Configure the VcpAccountOptions.
public override void ConfigureServices(ServiceConfigurationContext context)
{
    context.Services.Configure<VcpAccountOptions>(options =>
    {
        //For impersonation in Saas module
        options.TenantAdminUserName = "admin";
        options.ImpersonationTenantPermission = SaasHostPermissions.Tenants.Impersonation;

        //For impersonation in Identity module
        options.ImpersonationUserPermission = IdentityPermissions.Users.Impersonation;
    });
}

Web

  1. Depends VcpAccountPublicWebImpersonationModule(Verto.Vcp.Account.Pro.Public.Web.Impersonation) on your WebModule
  2. Change the base class of AccountController to VcpAccountImpersonationChallengeAccountController
public class AccountController : VcpAccountImpersonationChallengeAccountController
{

}
  1. Add ImpersonationViewComponent to \Components\Toolbar\Impersonation folder
public class ImpersonationViewComponent : VcpViewComponent
{
    public virtual IViewComponentResult Invoke()
    {
        return View("~/Components/Toolbar/Impersonation/Default.cshtml");
    }
}

@using Microsoft.AspNetCore.Mvc.Localization
@using Verto.Vcp.Account.Localization
@inject IHtmlLocalizer<AccountResource> L
<form method="post" data-ajaxForm="false" action="~/Account/BackToImpersonator">
    @Html.AntiForgeryToken()
    <button type="submit" class="btn text-danger" data-bs-toggle="tooltip" data-bs-placement="left" title="@L["BackToImpersonator"]">
        <i class="fa fa-undo"></i>
    </button>
</form>
  1. Add ImpersonationViewComponent to ToolbarContributor.
if (context.ServiceProvider.GetRequiredService<ICurrentUser>().FindImpersonatorUserId() != null)
{
    context.Toolbar.Items.Add(new ToolbarItem(typeof(ImpersonationViewComponent), order: -1));
}
  1. Configure VcpSaasHostWebOptions and VcpIdentityWebOptions
public override void ConfigureServices(ServiceConfigurationContext context)
{
    var configuration = context.Services.GetConfiguration();

    //For impersonation in Saas module
    context.Services.Configure<VcpSaasHostWebOptions>(options =>
    {
        options.EnableTenantImpersonation = true;
    });

    //For impersonation in Identity module
    context.Services.Configure<VcpIdentityWebOptions>(options =>
    {
        options.EnableUserImpersonation = true;
    });
}

Blazor.Server

  1. Depends VcpAccountPublicWebImpersonationModule(Verto.Vcp.Account.Pro.Public.Web.Impersonation) and VcpAccountPublicBlazorServerModule(Verto.Vcp.Account.Pro.Public.Blazor.Server) on your BlazorModule

  2. Change the base class of AccountController to VcpAccountImpersonationChallengeAccountController

public class AccountController : VcpAccountImpersonationChallengeAccountController
{

}
  1. Configure SaasHostBlazorOptions and VcpAccountOptions
public override void ConfigureServices(ServiceConfigurationContext context)
{
    //For impersonation in Saas module
    context.Services.Configure<SaasHostBlazorOptions>(options =>
    {
        options.EnableTenantImpersonation = true;
    });

    //For impersonation in Identity module
    context.Services.Configure<VcpIdentityProBlazorOptions>(options =>
    {
        options.EnableUserImpersonation = true;
    });
}

Blazor and PublicWeb

It is currently not supported.

Tenant & User Impersonation permissions

identity saas

In this document