Privileged user configuration

This page covers the configuration of the Privileged user, used to support offline user impersonation.

1 Configuring the privileged user
2 Impersonation and why CSUMCloud requires offline impersonation?
3 Privileged user API token credentials were already provided, why is the new user picker needed?
- 3.1 Can I still use the same user I chose for the API token?

Configuring the privileged user

If you previously configured Privileged user API token credentials, you will be asked to re-configure.

When accessing the System Admin module, the first page is for the privileged user:

Using the privileged user picker field, begin searching for your privileged user. This user must have the required System admin permissions needed to perform CSUMCloud operations. Please see Privileged User Permissions for more information.

After a new privileged user is selected and validation is successful, the privileged user account ID will be stored. When this page is refreshed, the stored account ID will be validated against an existing user:

Impersonation and why CSUMCloud requires offline impersonation?

When making requests within the app, these are often performed as the logged in user. (For example, when loading the Space admin module, requests to load the Space from the Confluence REST API are invoked as the logged in Admin user). When this is not possible, the CSUMCloud app may attempt to make this request if it has the relevant permissions.

However, sometimes there are REST API endpoints that can only be invoked by a System Admin and the logged in Space Admin, plus the CSUMCloud app cannot invoke these calls.

In order to allow these requests, a privileged user must be set up, allowing the Account ID of the selected user to be requested to perform offline user impersonation, making the request on behalf of the logged in user.

Privileged user API token credentials were already provided, why is the new user picker needed?

As part of ongoing security improvements, any API token storage is being removed. To support this, the previous Email + API token combination must be replaced with user impersonation.

To achieve this, the privileged user must store the account ID of the account to be used. This user still requires the relevant system admin permissions (See Privileged User Permissions).

Can I still use the same user I chose for the API token?

Yes. For instance, if you created an API token for ‘admin@mycompany.com’, selecting this user in the new privileged user configuration will use the account ID for that user. Simply search for the user in the privileged user configuration and the validation will check if the user has the required permissions.

(It is not currently possible to convert the email address to a found user account ID, which is why we require re-configuration).