Skip to content

OSDOCS-17807: document multigroup user impersonation in the web console #105664

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jseseCCS wants to merge 1 commit into
base: main
Choose a base branch
from
+26 −2
Open

OSDOCS-17807: document multigroup user impersonation in the web console #105664

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions modules/impersonation-system-admin-user.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,7 @@
[id="impersonation-system-admin-user_{context}"]
= Impersonating the system:admin user

You can grant a user permission to impersonate `system:admin`, which grants them
cluster administrator permissions.
You can use the OpenShift web console to impersonate a user and select multiple group memberships at the same time to reproduce that user’s effective permissions.

.Procedure

Expand Down Expand Up @@ -38,3 +37,28 @@ subjects:
name: <username>
----
====

== Impersonating a user with multiple group memberships in the web console
[id="impersonating-user-multiple-groups-console_{context}"]

You can use the OpenShift web console to impersonate a user and select multiple group memberships at the same time to reproduce the user’s effective permissions.
Copy link

@Leo6Leo Leo6Leo Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a duplicate of line 9?


.Before you begin
* You must have permission to impersonate users.
* The user you impersonate must belong to one or more groups.
Copy link

@Leo6Leo Leo6Leo Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may not be accurate. That user doesn't need to belong to that group. The purpose of multi-group impersonation is to simulate "what permissions would this user have if they were a member of these groups" - which is useful for testing RBAC configurations. The user doesn't need to actually be a member of those groups.


Copy link

@yapei yapei Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment
Image

We can just impersonate a user that doesn't belong to any group

.Procedure
. In the OpenShift web console, click **Administrator** → **User Management** → **User Impersonation**.
Copy link

@Leo6Leo Leo6Leo Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another way to start impersonation is via the kebab menu on the top right of the corner in the web console.

And I don't think there is User Impersonation option under User Management tab. The way to trigger the impersonation is: you go under User Management tab, then Users / Groups, and then you click on the kebab menu beside the specific user / group, and there should appear a button to impersonate.

Copy link

@yapei yapei Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image

. Select the user you want to impersonate.
Copy link

@Leo6Leo Leo6Leo Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now it is asking the user to manually type the user's username that they want to impersonate in the newly poped up modal.

. Select one or more groups that are associated with the user.
Copy link

@Leo6Leo Leo6Leo Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might not be accurate. The user can impersonate any group(s) that they have the view access.

. Click **Impersonate** to impersonate the user and groups you selected.

[NOTE]
====
If you select a single group, the impersonation behavior matches the existing single-group impersonation mode.
Copy link

@Leo6Leo Leo6Leo Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might not be accurate. If you start the impersonation from the kebab menu, you will have to enter the user's username that you are intending to impersonate. But the group field is optional.

One note about this feature is that If no groups are selected, it falls back to regular user impersonation.

====