Impersonation Audit Trail
Every impersonation session is comprehensively audited. The audit trail captures session metadata, actions performed during impersonation, and provides query capabilities for compliance reporting. Audit endpoints require ADMIN role or audit:read authority.
Audit Data Captured
Each impersonation session records the following:
| Field | Description |
|---|---|
| Session ID | Unique identifier for the impersonation session |
| Admin user | The administrator who initiated the session |
| Target user | The user being impersonated |
| Reason | The stated justification for impersonation |
| Ticket reference | Optional support ticket or incident reference |
| IP address | The admin's IP address at session start |
| User agent | The admin's browser or client identifier |
| Start time | When the session was created |
| End time | When the session was terminated |
| End reason | How the session ended (normal, forced, expired) |
| Actions | List of actions performed during the session |
Recording Actions
During an active impersonation session, API calls can record significant actions for the audit trail:
POST /api/v1/impersonation/sessions/:sessionId/record-action{
"action": "Viewed BI dashboard 'Monthly Revenue Summary'"
}The action field has a maximum length of 200 characters.
Querying Audit History
Paginated history for the tenant:
GET /api/v1/impersonation/audit?page=0&size=20Time-range query:
GET /api/v1/impersonation/audit/range?start=2026-01-01T00:00:00Z&end=2026-02-01T00:00:00ZBoth endpoints return paginated SessionInfo objects.
Impersonation Statistics
The statistics endpoint provides aggregate metrics for compliance reporting:
GET /api/v1/impersonation/statsReturns ImpersonationStats including:
| Metric | Description |
|---|---|
| Total sessions | All-time session count |
| Active sessions | Currently active sessions |
| Average duration | Mean session length in minutes |
| Sessions by admin | Breakdown by admin user |
| Sessions by month | Monthly trend data |
Compliance Integration
The impersonation audit trail integrates with the platform's centralized audit service. All impersonation events are forwarded to the audit pipeline with:
- Event type:
IMPERSONATION_START,IMPERSONATION_END,IMPERSONATION_ACTION - Severity:
HIGH(all impersonation events are considered high-severity) - Retention: Impersonation audit records follow the tenant's data retention policy with a minimum of 365 days
Best Practices
- Always provide a meaningful
reasonthat explains the troubleshooting context - Include a
ticketReferencefor traceability back to the support system - End sessions promptly once the investigation is complete
- Review impersonation statistics regularly for anomalous patterns