One of our six spaces includes 32 roles. We had to create so many roles to be able to restrict access for users (customers) that are working in different banks, offshore/onshore users etc, taking into account that some should have access to Defects module only and other to backlog/test/defects.
Besides 30 rules added on space level and up to 50 on workspace level (just for defects). Rules differs from workspace to workspace. It took much time to configure that and one can't keep it all in his head. It's very likely that not everything was configured in a proper way. Since we have SSO configured for Octane it's not easy to validate permissions assigned to user especially when several roles are applied.
Having instance with 2500+ users what we really need is permission helper that would run checks on what is allowed and what is not per user.
Alternatively (or additionally) it would be good to have possibility for workspace admins to emulate user's session.
You can create an API key and assign it with a role from the tenant administration.
you read more about it in the API Access documentation:
It is also available for a federated SaaS account (SSO enabled).
If you want to emulate a user session to see what permissions/visibility the user has, you can create an API Key and assign it with the user roles and workspaces. then you can open sessions with the API Key and actually get the exact permissions/visibility of users assigned with these set of roles on the specific workspace.
Will that help to emulate the user sessions as requested? note that the only difference would be with the authentication part as API Keys are not authenticated via SSO.
We also have SSO and I can see the need to 'Switch be between' Users.
But I would say that this needs to be heavily audited or only able to switch to users which are not connected to accounts via SSO.
Along the lines of a "Test User" or "Mask User" that is only available as for testing/use to Admin users and not via the SSO Authentication.