Allow Admins to login as another user (Sudo login)
This release introduces a new feature that allows institutional administrators to log in as other campus users.
This means better, faster, and more efficient support. Primary admins will be able to support and troubleshoot issues for your users directly without needing to submit a Watermark support ticket. We think this will be a game-changer for administrative efficiency.
Feature Overview:
- Sudo Login for Admins: Root admins can log in as any user (student, faculty, external, or another admin) to troubleshoot issues directly from their account. All actions performed during this session will be logged, and user consent is required prior to accessing a user's account.
Key Details:
- Permission and Access:
- Only users with the root admin role can access this feature.
- The feature is accessible from a user’s profile.
- Admins can search for and select a specific user to log in as.
- The system maintains a history of logs in the database, including the admin's ID, the impersonated user's ID, and session timestamps.
- Session Management:
- Admins gain full read/write access to the impersonated user's account.
An email notification is sent to the user when an admin logs into their account"
- A visual indicator will display the impersonation status, and a "Switch Back to Admin" button is available to end the session:
- Action Logging:
- All actions taken while logged in as another user will be logged for auditing purposes, linking actions back to the impersonating admin.
Introduce Support Access Controls
This release introduces a new Support Access feature, giving organizations granular control over when Watermark support teams can access user accounts. This enhancement improves security and transparency by requiring explicit, time-bound permission from the user.
1. Organizational Control
- Root Admin Control: Root administrators can now enable or disable the entire Support Access feature for an organization via a new toggle in System Preferences available under Settings > Configuration Settings.
- Access Restriction: Non-root administrators cannot modify the organization-level Support Access settings.
- Default Behavior: By default, this toggle will be ON for all existing organizations and any new organization created in the future.
2. User-Managed Access
A new card has been added to the Profile tab > My Profile > Account Settings Card, which provides full control over support access.
- A "Grant Access" button is displayed when support access is enabled.
- Clicking on "Grant Access" system opens a flyout requiring the user to specify a temporary access window:
- Start Time and Date: Defaults to the current time and date.
- Access Duration (Mandatory): Users must select a duration of 24 hours, 48 hours, or 72 hours.
- Once access is granted, the system displays the revoke date and time on the user's profile, providing clear visibility into when access will automatically expire.
- Users can immediately revoke access at any time by clicking the "Remove Access Now" button. This instantly removes the access and reverts the card to display the "Grant Access" button.
3. Support User Workflow
The ability for a Watermark support user to "sudo" into a user's account is now strictly controlled:
- The SUDO option will only be visible to support users if both of the following conditions are met:
- The organization's Sudo configuration is toggled ON at the institution level.
- The specific user has explicitly allowed "Grant Access."