Managing Logon as Another User

Use the Logon As Another User tab to manage the user selections that appear in the Login As Another User drop-down list in Work Center. This enables you to restrict the ability to log in as another user.

Select the Logon as Any Valid User check box to allow a user to log in as any user. Clear the check box to enable the Manage User Selections and Manage Group Selections options on the page. Use either of these options to select the users that can be impersonated.

Tip: When a user is copied to create a new user, the copied user assumes the same restrictions for Logon As Another User.

The ability to restrict Logon as Another User is determined accordingly:

If you are a Managed Administrator, there are two requirements:

You must have the Global Administration privilege (otherwise the Logon As Another User tab does not appear under Administration).
The user that you select to modify must have the Logon As Another User privilege.

If you are a Regular User with Remote Administration privilege:

The user that you select to modify must have the Logon As Another User privilege.

Tip: Regular users with Remote Administration privilege can edit managed administrators and restrict their list of users; however, managed administrators cannot restrict users for Regular Users. Administrators are not able to modify Logon As Another User restrictions for themselves.

Accessing SBM Application Administrator

Product access and privileges affect the ability to log in to Application Administrator and use administrative features as another user.

For example, if Carmen is a regular user with Remote Administration privilege, she can log in to Application Administrator as another user and make administrative changes as that user. However, if Carmen is a regular user, but does not have Remote Administration privilege, she cannot log in to Application Administrator and she can only access the Out of Office and Manage Data settings while impersonating another user.

Review the following scenarios for further detail:

The Impersonating User Is	And the Impersonated User	Result
any user	does not have Remote Administration privilege	The impersonated user cannot log in to Application Administrator and can only access Out of Office and Manage Data settings.
a regular user with Remote Administration privilege	has Remote Administration privilege	The impersonated user has full access to Application Administrator.
a regular user without Remote Administration privilege	has Remote Administration privilege	The impersonated user cannot log in to Application Administrator and can only access Out of Office and Manage Data settings.
a managed administrator with Remote Administration privilege, but without Global Administration privilege	has Remote Administration privilege	The impersonated user cannot log in to Application Administrator and can only access Out of Office and Manage Data settings.
a managed administrator with Global Administration privilege, but without Remote Administration privilege	has Remote Administration privilege	The impersonated user cannot log in to Application Administrator and can only access Out of Office and Manage Data settings.
a managed administrator with Remote Administration and Global Administration privileges	has Remote Administration privilege	The impersonated user has full access to Application Administrator.

Note: For tighter security, follow the steps in solution S142749 to block access to SBM completely (instead of allowing limited access according to the table above) when the impersonating user does not have greater product access. In other words, do not even allow the impersonated user to log in unless:

The impersonating user is a regular user with Remote Administration privilege and the impersonated user has Remote Administration privilege.

Or:

The impersonating user is a managed administrator with both Remote Administration and Global Administration privileges and the impersonated user has Remote Administration privilege.