Impersonation
Learn how to utilize Appetize for user impersonation and delegation scenarios, allowing call center agents or administrators to verify and troubleshoot user-reported issues.
Last updated
Learn how to utilize Appetize for user impersonation and delegation scenarios, allowing call center agents or administrators to verify and troubleshoot user-reported issues.
Last updated
Impersonation and delegation enable call center agents or system administrators to take on a user's identity to verify and troubleshoot user-reported issues. Most organizations already have a solution implemented for their web-based applications. Appetize allows you to impersonate and delegate your native and cross-platform mobile application users.
Enabling user impersonation necessitates the use of custom code and careful consideration of security, privacy, and compliance. The required custom code may involve making adjustments to the mobile app, the page Appetize is embedded on, and the backend infrastructure.
This documentation provides insights on leveraging Appetize's capabilities to impersonate users, perform delegated actions, and resolve user-reported problems. To simplify the process, we will break down impersonation into three essential steps:
To begin the impersonation process, identify the target user's relevant information, such as identity, roles, and permissions that you would like to impersonate.
Understand how authentication works in your target app and use a strategy to generate a token based on the target user's context or specific scenarios. Some sample strategies could include:
Session-based Authentication: Generate a JWT token based on the authenticated user's session.
OAuth2 Authentication: Utilize the impersonation scope in OAuth2 to generate a token for specific users and behaviors.
OpenID Connect Authentication: Update the token's subject (sub) claim and re-sign it to assume the identity of the desired user
Override Authentication: Implement a mechanism that allows admin users with elevated privileges to bypass the standard token validation process.
Use a dedicated/custom app build/flavor specifically for Appetize, that includes a token generation feature. This app can allow administrators or call center agents to input desired user roles and behaviors (or user id / email) and generate the corresponding token.
Once you have the required user information (e.g. user token), proceed with passing it to your embedded app for impersonation. Consider the following options:
Update your app to retrieve, interpret and utilize the token passed in order to simulate the target user's identity, roles, and behaviors.
Note authenticationService is just an example to represent how authentication might work. This should be replaced with the actual implementation in your app.
Update your app to retrieve, interpret and utilize the token passed in order to simulate the target user's identity, roles, and behaviors.
Now you can read out the data once the activity is launched.
To ensure a secure and responsible impersonation process, adhere to these best practices.
Obtain explicit user consent before performing any impersonation activities. Safeguard user privacy and handle sensitive information appropriately.
Impersonate users only when necessary to verify or troubleshoot reported issues. Respect user privacy and avoid misuse of impersonation capabilities. If possible limit impersonation to only be accessible via your internal network.
Maintain detailed documentation outlining the impersonation process, including how the token gets generated and passed to the app and any other appropriate security measures. Ensure compliance with relevant regulations.
Maintain an audit trail of impersonation activities, including the purpose, duration, and actions performed. This log should be accessible for review and compliance purposes.
Use an internal REST API and web interface that allows administrators or call center agents to generate tokens with specific user roles and behaviors. The web interface can provide an intuitive interface for administrators to input the desired parameters, and the API can generate and return the corresponding token. This token can then be passed to the Appetize client via our . See .
Use a companion app that works alongside the target app on Appetize. The companion app can include features to generate tokens with desired user roles and behaviors. The generated token can then be passed to the target app as a launch parameter or via deep link. See .
You can run multiple embedded Appetize sessions and use our to pass the values between them or you could make use of our to bundle the companion and the main app into a single session.
You could confirm that your app is running in an Appetize Session by making use of our default key "isAppetize": true.
Pass the generated token as a launch parameter when launching your app via Appetize by making use of our on your webpage.
See for more info.
Pass the generated token via a deep link while your app is running in Appetize by making use of our on your webpage.
See for more info.
Add a new intent filter for the deep link we specified above. For more information on how to do this, see this tutorial for more information.
Update your AppDelegate (or SceneDelegate if your app opted into using Scenes) to handle incoming deep links. See this for more information.
Appetize offers both Public and Private cloud deployments. If you are potentially accessing sensitive data, please contact our to ensure you are implementing impersonation in a compliant manner.
