--- title: Authenticate as a different user description: The X-OpenIDM-RunAs header lets an administrative user masquerade as a regular user, without needing that user's password. To support this header, you must add the runAsProperties object to the properties of your authentication module. For example: component: pingidm version: 8.1 page_id: pingidm:auth-guide:auth-run-as canonical_url: https://docs.pingidentity.com/pingidm/8.1/auth-guide/auth-run-as.html keywords: ["Authentication", "Impersonation"] --- # Authenticate as a different user The `X-OpenIDM-RunAs` header lets an administrative user *masquerade* as a regular user, without needing that user's password. To support this header, you must add the `runAsProperties` object to the `properties` of your authentication module. For example: ```json "runAsProperties" : { "adminRoles" : [ "internal/role/openidm-admin" ], "disallowedRunAsRoles" : [ "internal/role/openidm-admin" ], "defaultUserRoles" : [ "internal/role/openidm-authorized" ], "queryId" : "credential-query", "queryOnResource" : "managed/user", "propertyMapping" : { "authenticationId" : "username", "userRoles" : "authzRoles" }, "augmentSecurityContext" : { "type" : "text/javascript", "source" : "require('auth/customAuthz').setProtectedAttributes(security)" } } ``` This configuration lets a user who authenticates with the `openidm-admin` role masquerade as any user *except* one with the `openidm-admin` role. If you are adding this configuration to the `STATIC_USER` module, and you are using [Delegated administration](delegated-admin.html), you must add an additional `propertyMapping` to the `properties` of the authentication module. This mapping forces the privileges to be re-read into the security context when the session JWT is used on subsequent requests. For example: ```json "propertyMapping" : { "authenticationId" : "username" } ``` The sample `authentication.json` file in `openidm/samples/example-configurations/conf/runas/` adds the `runAsProperties` object to the `STATIC_USER` module. Users or clients who authenticate with this module can then masquerade as other users. In the following example, the `openidm-admin` user authenticates with the `STATIC_USER` module, and can run REST calls as user `bjensen` without that user's password: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "X-OpenIDM-RunAs: bjensen" \ --request GET \ "http://localhost:8080/openidm/info/login" { "_id": "login", "authenticationId": "bjensen", "authorization": { "userRolesProperty": "authzRoles", "component": "managed/user", "authLogin": false, "adminUser": "openidm-admin", "roles": [ "internal/role/openidm-authorized" ], "ipAddress": "[0:0:0:0:0:0:0:1]", "authenticationId": "openidm-admin", "protectedAttributeList": [ "password" ], "id": "bjensen", "moduleId": "STATIC_USER", "queryId": "credential-query" } } ``` The authentication output shows that the request was made as user `bjensen` but with an `adminUser` of `openidm-admin`. This information is also logged in the authentication audit log. If you were to actually authenticate as user `bjensen`, without the `runAs` header, the user is authenticated with the `MANAGED_USER` authentication module. The output still shows an `authenticationId` of `bjensen` but there is no reference to an `adminUser`: ``` curl \ --header "X-OpenIDM-Username: bjensen" \ --header "X-OpenIDM-Password: Passw0rd" \ --header "Accept-API-Version: resource=1.0" \ --request GET \ "http://localhost:8080/openidm/info/login" { "_id": "login", "authenticationId": "bjensen", "authorization": { "userRolesProperty": "authzRoles", "component": "managed/user", "authLogin": false, "authenticationIdProperty": "username", "roles": [ "internal/role/openidm-authorized" ], "ipAddress": "[0:0:0:0:0:0:0:1]", "authenticationId": "bjensen", "protectedAttributeList": [ "password" ], "id": "bjensen", "moduleId": "MANAGED_USER", "queryId": "credential-query" } } ```