I tested to find that only a user can add other to his imperonators list for the other to impersonate. But the other user cannot add by himself to users impersonators list and impersonate. Either a member of adminstrator group or the user himself can add others to the user impersonators list. Is this documented any where and how can we customize any user to addimpersonators like the administrator group?
First, your analysis is right. The list of impersonators is a property at the target user. So the target user can grant another user (the impersonator) the right to act as himself. There is no “impersonation right”, that a specific user group is allowed to impersonate to anybody.
So the use case “Support User Group”, where a group of support users are allowed to impersonate as other business users will not work. Every individual business user must grant impersonation rights to the support user group.
To change the list of impersonators, you just need write access at the target users. Either it is the target user itself, or members of the “user administrators” group, or member of the “administrators” group, or any other user or user group that your project has granted write access on the target user.
If you wanna have the support users group model, you have 2 options:
If you are using LDAP Integration, you can add a static value for the impersonation property in the “User Sync” Config. So every LDAP user gets this automatically assigned when he logs in.
Write your own service, that uses the UserAdmin-API to assign the impersonators silently in the background. This allows you also to use any business logic you want.
PS: I haven’t found any good official documentation. Neither at Adobe, nor at Jackrabbit.