Allowing users to impersonate other users in AEM as a Cloud Service

Historically, only the default master admin account could impersonate all users in AEM Author. For any other account, they would need to be added as an impersonator to the profile of the user being impersonated. This article discusses the new setting in AEM as a Cloud Service v2024.10 that allows anyone to impersonate users in AEM Author.

Description description

Environment

Adobe Experience Manager as a Cloud Service (AEMaaCS)

Issue

Impersonation was restricted to the default master admin  user, making it difficult for any other account to impersonate users in AEM Author.

Resolution resolution

AEM as a Cloud Service v2024.10 introduces a new configuration option to streamline impersonation. Now specifying users or groups as impersonatorPrincipals in the following Apache Jackrabbit Oak User Configuration, grants them the ability to impersonate any user.

Apache Jackrabbit Oak UserConfiguration (org.apache.jackrabbit.oak.security.user.UserConfigurationImpl) 

Here is an example using the Inline values method in the cfg.json.

In this example, the “administrators” group and a second “impersonators” group are specified as impersonatorPrincipals. This allows users specified in these groups to impersonate any user account in AEM Author.

{
    "impersonatorPrincipals":[
        "administrators"
        "impersonators"
    ]
}

Note: You will need to also ensure that the ACLs for your impersonatorPrincipals (users or groups) are set to allow jcr:read on the path /home.

There are several ways to set OSGI configs in AEMaaCS. For full details, visit Configuring OSGi for Adobe Experience Manager as a Cloud Service.