View as user or view as role
As an Admin / Major Domo
I want to view my Domo Instance from the perspective of a selected user or role
In order to ensure their experience aligns with what is expected. (Dashboards, cards, pages, features, etc. that they should see are there, and those they should not see are not visible.)
Comments
-
This is a great idea! This would be helpful for validating PDP policies
5 -
OMG… yes, that would be huge. I would even ask to take it a step further and as an admin be able to mirror or impersonate an individual user.
5 -
This would be a great addition - my IT team has been in contact with Domo regarding this same feature.
2 -
This feature is extremely important to the successful adoption of Domo within our company. It would provide the ability to validate our security policies, greatly reduce the time spent trouble-shooting access related issues, and improve the user's overall experience.
4 -
Great idea. This will make content creator's life so much easier when they know what their user would see.
4 -
I'm working through PDP automation as a new customer and this is exactly what I struggle with. Since I can't impersonate other users as Admin, it's extremely difficult to verify and audit that PDP is working as expected. This would be HUGE and very much needed.
3 -
100%.
Trust and a more positive user experience will come from our Dev team being able to catch authorization issues. Whether that’s seeing if PDP works correctly to have card/page access set correctly.
2 -
DomoSupport can already do this. Making it available to customers would be fantastic.
2 -
I need this. has this updated yet?
0 -
@arashhemmasian_2023 as of yet, no.
0 -
@JasonAltenburg great idea! I have a testuser@domo.com account I use for this specific thing, but it's limited. Would be so much better if we could do as you describe.
2 -
This would be huge for us. We have tried to do as @swagner recommended but it is limited and time consuming.
If I solved your problem, please select "yes" above
1 -
This would be great!!!. What I do know is to create a temporary password and log in to see how the user's dashboard is looking.
0 -
+1
0 -
Our initial investigations on impersonating a user generated a few feasibility questions related to security risks from allowing someone to impersonate someone else and possibly take actions as a proxy. Impersonating a user bypasses the access controls and policies applied to the user who is impersonating and we need additional research on viable options. To help us find the right long term and potential short term workarounds, can you all help me confirm the below 'jobs to be done' that we should be solving?
- Governance / Access Control
- validating PDP
- validating access/security policies
- troubleshooting access related issues
- validate data sharing methods
- User Experience
- validating user experience aligns with what is expected
- understand current experience of user and what they see
- discovery to improve user overall experience
1 - Governance / Access Control
-
@JordanJensen Those jobs all look correct to me.
The security aspect is a fair note. I think in this regard, the key word is View. I would think that in the view as experience, you would have READ access to cards and dashboards, no create update or delete privileges as the other user. Possibly a blend of restrictions could be considered where the MOST restrictive of the two users policies would take effect. I think this would be a Superuser / Instance Admin type of grant to be able to use such a tool.
I think in my experience as Majordomo, I was looking for what falls under the User Experience bullets.
5 -
As a Domo admin I can see everything anyway so I am not sure why it would be a security issue. Agree with @JasonAltenburg that it should be a grant related to the admin role.
If I solved your problem, please select "yes" above
4 -
@ColemenWilson I apologize for any confusion. The security concern was not related to being able to see everything as to your point, you can see that as an admin. It was the concern with you taking action as another user. We will need to ensure we engineer the ability to track when you took an action as a user you are impersonating.
@JasonAltenburg I think I am following. Your suggestion of 'Possibly a blend of restrictions could be considered where the MOST restrictive of the two users policies would take effect' is interesting and am wondering what impact that would have on your ability to validate their experience. Is there any value in making setting up a dummy user like 'testuser@domo.com' easier? Or, do you need to validate the experience as a real user?
0 -
Oh no, that would not be secure at all. All we are looking for is a view as user or view as role - "view" being the key word.
If I solved your problem, please select "yes" above
1 -
Excited to see some traction on this! As I'm developing a better mental model for how permissions on various objects / roles / PDP interact this would be really helpful. And avoid the "Can you share your screen? How about now? now?" conversation :)
3 -
@JordanJensen I think there's some assumptions built in to that question about the Domo Admin being an IT Admin or having the power to set up a service account / test account.
In addition to this, imagine what that would look like to validate the experience in Domo of in a hypothetical small 6 person Domo instance with you as CEO, and your CFO, CMO, COO, CTO, CIO… you would need to create the 7th test user, then need to add then remove all permissions to your test account each time you wanted to view someone's experience. Add CFO … remove CFO add CMO… remove CMO add COO… instead of having an ability to "view as" to ensure that they all have the expected Domo Interface.
The idea around restrictions and permissions, if you could blur or placeholder cards I don't think it would be an issue. Most of the time it would be helpful simply to quickly understand what it looks like when they visit a page. I do understand though that some companies have more restrictive controls around their data where this feature might just need to be completely disabled by a CSM / Superuser
2 -
As an admin and the person responsible for an overall positive Domo user experience, this is an imperative management feature.
I intentionally laid out the sub-page order for a deployment to a group of 10 users.
The page order had intentional logic to support adoption. My directions referenced the page order.
Weeks later I learned that each user got the pages in a completely randomized order.
Many of my administration challenges come down to "I cannot see what you are seeing"
3 -
Agreed.
0 -
@Domo, please add this!
1 -
@JordanJensen - I think the word 'impersonation' has been taken too literally.
We need to be able to see what a particular user or role can see. If someone wants to act on behalf of another user at some point, that is another discussion. A pretty high level of complexity is possible with PDP, and not being able to validate how it is applying is a huge risk.
NOT having this feature is a security risk.How is it currently handled on the Domo Support side? The idea that people who barely know Domo can impersonate users is pretty scary. Can they make changes as the user or just see what they see?
DataMaven
Breaking Down Silos - Building Bridges
**Say "Thanks" by clicking a reaction in the post that helped you.
**Please mark the post that solves your problem by clicking on "Accept as Solution"1 -
For me, the PDP policies are the biggest motivator. We have some dynamic permissions set up, where a user can see data for rows based on a comparison between their name and our company's org chart. While I can click to preview the dataset for each PDP policy, I'm not a manager, so I can't verify whether managers are able to see the right data. Also, this only works for the data itself, not any cards built on it.
I understand the concerns about security, too, and only need to view and filter the dashboards, cards, and datasets that a user can access.
0 -
Agree with this one. It would be very beneficial as an admin to be able to emulate/imitate users to view their access and experience.
0 -
Agree with this. It would be very beneficial as an admin to be able to emulate/imitate a user to view Domo through their experience and access.
0 -
Hi, @JasonAltenburg, @DataMaven, @afranklin, @Kyrsten and everyone. Thank you all for being engaged in the Community Forum and for posting here in the Ideas Exchange!
While I know this particular ideas thread is about "view as", we've also heard feedback that there are use cases for taking action as another user: "act as". Here's a hypothetical use case: "I want to create a carefully curated experience for our new CFO that we're onboarding to the Domo platform. Of course I want to make sure they have access to all the right apps and data; but I also want to validate that they have the right role/grants to use Domo the way they need; and I want to add a few important cards to their Favorites."
I've appreciated the opportunity to talk at length with some of you about this and with your help I think we've found a good path forward; Let me provide some insight into how we're approaching this.
We're still working through some solution design considerations, but we're hoping to move forward with User Impersonation. This new capability to impersonate another Domo user would be limited to admin-type users (controlled by a new admin-level grant), and start/end and justification for impersonation would be logged. During the time-limited impersonation session, the admin-type user would be able to both view Domo as the user, and also act in Domo on that user's behalf.
Using this approach, we would be able to address both the need to view and act as another user. And while it may seem counterintuitive, we believe this is also our most efficient approach. So, don't worry: we wouldn't be delaying "view as" while we build "act as".
Finally, I imagine some Domo customers may not want to allow this functionality at all. For those customers we'll be able to entirely disable the feature.
That's a wall of text. If you made it this far - thanks for reading! Obviously, please feel free to share additional ideas and feedback here. I'll try to provide updates, too. And again, thanks for being part of the Domo Community!
5 -
@DataMaven, I also wanted to address your specific concern or question about Domo Support.
When a Domo Support representative gains proxy access to a customer's Domo instance, they view and take action in Domo as the "Domo Support" user and any actions that are logged in Activity Log indicate those actions were taken by Domo Support.
1
Categories
- All Categories
- 2K Product Ideas
- 2K Ideas Exchange
- 1.6K Connect
- 1.3K Connectors
- 308 Workbench
- 7 Cloud Amplifier
- 10 Federated
- 3.8K Transform
- 660 Datasets
- 117 SQL DataFlows
- 2.2K Magic ETL
- 818 Beast Mode
- 3.3K Visualize
- 2.5K Charting
- 84 App Studio
- 46 Variables
- 781 Automate
- 191 Apps
- 483 APIs & Domo Developer
- 84 Workflows
- 23 Code Engine
- 43 AI and Machine Learning
- 22 AI Chat
- 3 AI Projects and Models
- 18 Jupyter Workspaces
- 409 Distribute
- 116 Domo Everywhere
- 282 Scheduled Reports
- 11 Software Integrations
- 146 Manage
- 142 Governance & Security
- 8 Domo Community Gallery
- 49 Product Releases
- 13 Domo University
- 5.4K Community Forums
- 41 Getting Started
- 31 Community Member Introductions
- 115 Community Announcements
- 4.8K Archive