Enable "User Impersonation" as a Granular Permission for Custom Roles
M
Minimum Caterpillar
Problem Statement:
The User Impersonation feature (PL_ENABLE_USER_IMPERSONATION) is currently restricted exclusively to the Account Admin role. While powerful for troubleshooting, this "all-or-nothing" approach creates a significant compliance blocker for enterprise organizations.
The "Why" (Business Impact):
- SOX Compliance: Organizations cannot grant full "Account Admin" privileges to support staff or partner teams just to enable troubleshooting via impersonation. This violates the principle of least privilege.
- Operational Risk: Restricting this to a handful of Account Admins creates a bottleneck, as troubleshooting often requires specialized team members who should not have global administrative access to secrets, connectors, or user management.
Proposed Solution:
Decouple the "User Impersonation" capability from the fixed Account Admin role and expose it as a granular permission within the Harness RBAC framework. This would allow administrators to:
1) Create a Custom Role (e.g., "Troubleshooting Specialist").
2) Assign the User Impersonation permission to that role.
3) Bind that role to specific User Groups or Service Accounts without granting broader administrative rights.
Log In