Saltar al contenido principal

Partner Impersonation

A partner (an integrator or reseller) typically manages several tenants. When the partner needs to go into a tenant — to debug a campaign, demo a feature, or change a setting on the tenant's behalf — they can impersonate that tenant from the partner portal. They land in the admin shell scoped to that tenant, but with a curated permission set — not the tenant's own admin.

When to use it

  • A tenant raised a support ticket and you need to see their data to investigate.
  • You're demoing the platform to a prospective tenant on their own account.
  • You're applying a config change on a tenant who doesn't have an in-house admin.

How it works

The impersonation flow is a deliberate, audited handoff. From a high level:

  1. The partner user is authenticated to the partner portal with their ABP JWT (host-scope user with role Host.Partner).
  2. The partner opens a tenant they own and clicks Impersonate.
  3. The platform verifies that the tenant's IntegrationPartnerId matches the partner's claim — a partner can never impersonate a tenant they don't own. Cross-partner impersonation is refused outright.
  4. The platform provisions (or reuses) a synthetic per-tenant user named partner-{partner-code-lowercased} with the curated PartnerAdmin role.
  5. An ABP impersonation token is issued; the admin SPA exchanges it for a real session through ABP's native impersonation cookie path.
  6. The partner now operates the admin shell as the synthetic user, scoped to that tenant.

The synthetic user can do most operational things — manage campaigns, members, communications, content. They cannot:

  • Manage users, roles, or API keys in the tenant.
  • See or change billing.
  • Change tenant-wide branding fundamentals.

This means a partner can troubleshoot without being able to elevate their own access or hijack tenant identity.

Step-by-step

Impersonate a tenant

  1. Log in to the partner portal.
  2. Go to Tenants and find the tenant you want to enter.
  3. Click Impersonate.
  4. The platform opens a new admin session scoped to that tenant. You'll see the tenant's data, branding, and side menu.

Leave the impersonation session

Click Stop impersonating in the top bar (the standard ABP control). You return to the partner portal.

Limits and gotchas

  • Cross-partner is refused. A partner cannot impersonate a tenant they don't own. Attempts are rejected with an authorization error (this is enforced server-side; the UI doesn't even expose the button).
  • No silent fallback to admin. If provisioning the synthetic user fails for any reason, impersonation fails outright — the platform never hands out the tenant admin token as a fallback (this is a deliberate hardening fix from a prior security audit).
  • Audit trail. Impersonation sessions are audited like any other login. The audit log shows both the partner who initiated and the synthetic user that operated.
  • Cookie/session. Impersonation uses the standard ABP impersonation cookie. Logging out of the partner portal does not automatically end an active impersonation — stop it explicitly.
  • Permission: Pages.Partners.ManageTenants.