IBM Sustainability Software - Ideas Portal
Hide about this portal


This portal is to open public enhancement requests against the products and services belonging to IBM Sustainability Software. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Not under consideration
Workspace IBM TRIRIGA Application Platform
Created by Guest
Created on Mar 12, 2025

RELATED IDEAS

Create a logged "Impersonate User" feature for TRIRIGA Administrators

See this idea on ideas.ibm.com

The current methods of troubleshooting user-specific issues that only show in production environments configured for SSO are as follows:

1) Have two different authentication methods: App server has SSO enabled, Process server has SSO not enabled. TRIRIGA admin uses process server to login as the affected user to troubleshoot. (Some security concerns with this method - admins can arbitrarily login as anyone and perform arbitrary actions without it easily tracing back to them).

2) TRIRIGA Administrator modifies their account to "swap" usernames between the affected user and their account so they can natively login as the affected user (requires to TRIRIGA Admins, one who does the swap and another who can set it back - also same security concerns as option 1).

3) TRIRIGA Administrator does a screenshare with the user to validate the issue and attempts to replicate the issue under their own profiles by reconfiguring their own profile to match the user's profile (time intensive and not always possible due to work shift differences in a 24-hr work environment).

Moving forward with TAS/MREF, I don't believe option 1 will be available anymore. Option 2 and 3 would still work, but they are not particularly efficient or effective in testing as the user. The options are even fewer with TRIRIGA authentication, as the administrator would likely not know the user's password and would have to reset it in order to impersonate the user.

I propose that an "Impersonate User" function be created for use exclusively by TRIRIGA administrators that allows them to impersonate users temporarily and log the access as them doing impersonation. I envision it would be similar to how other systems do it, like ServiceNow, where a button would be available only for Administrators on their home portal (maybe in the MyProfile menu?). When a user is selected, the administrator would temporarily login as the selected user and a log would be generated either in the Security log file or directly on the people record showing who initiated the impersonation and when. Even better if it annotates in the Audit tab of any record modified, created or deleted by the administrator while impersonating. Something like "Revise User, End 123456 (Impersonated) 3/12/2025". The option could also have a time limit to ensure it isn't accidentally left on and possibly even a notification could be sent to the affected end user notifying them of the impersonation.

Idea priority Low
Needed By Not sure -- Just thought it was cool
  • Post comment
  • Admin
    Andy Barnes
    Reply
    |     Apr 15, 2025

    I would ask you to evaluate this and see if it provides what you need Christopher and get back to us however for now I will mark this as "Not under consideration" until you revert back.

  • Admin
    Andy Barnes
    Reply
    |     Apr 15, 2025

    Thank you for the great idea and also the carefully thought through options that we have today Christopher.

    We do have an additional mechanism that will persist through into MREF called "Cloud Login". This provides an independent way of authenticating as that user using another identity provider. This can be used to impersonate a user without compromising their internal identity credentials. It would require an administrator to configure the cloud login and create users on the cloud identity provider as required to impersonate them.

    https://www.ibm.com/docs/en/tap/5.0.0?topic=sso-configuring-by-using-cloud-login

    I feel this offers what you are asking for here and again this is independent of the SSO configuration in e.g. the server.xml file on Liberty.

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.