I want my admins to be able to impersonate a user and see what they see, but not be able to change any settings for security reasons. How to do this? Thanks.
Based on the information available at (https://auth0.com/docs/user-profile/user-impersonation) the rules engines is aware of the impersonation.
In a Rule, you have access to
user.impersonatedanduser.impersonator(the impersonating login) and you can write arbitrary Javascript to define how it works.
With this in mind you could setup a rule that when the token is issued as part of impersonation then it includes a claim indicating that fact, for example:
function (user, context, callback) {
if(context.idToken && user.impersonated) {
context.idToken"http://example.com/impersonated"] = true;
}
callback(null, user, context);
}
The final step would be for your application to react accordingly to the presence of this claim in the token and only allow read only access.