Restrict logging in as other Users to the Admin security group
The current functionality allows any user with permissions to Login As (UserA) to login as another user (UserB) and act as UserB with UserB's permissions which may be different than UserA's permissions. For example, someone who assists Fund Advisors and has no financial permissions could Login As someone with Accounting group membership and surreptitiously generate and print checks. There is currently a security feature that prevents users who are not in the Admin security group from logging in as a User who is in the Admin group. Could this feature could be expanded so that only Admin users can Login As other profiles with the User designation? Implementing that, and the other IdeaLab suggestions to log when actions are taken by proxy would address this security concern.
Michael Wiley
shared this idea