Masquerading

Masquerading is making an API call on behalf of another user. It will behave as if the target user had made the API call with their own access token (even if they don’t have one.) This includes permission checks, enrollments, etc.

In order to masquerade via the API, the calling user must have the “Masquerade as Another User” permission, which by default admin account users do. If the target user is also an account admin, the calling user must additionally have every permission that the target user has.

For auditing purposes, all calls log both the calling user and the target user.

When masquerading, there are two ways to specify the user: id and uid.

To use the user’s id, add the URL parameter as_user_id:

curl 'https://[bridge]/api/learner/courses?as_user_id=1' \
     -H "Accept: application/json" \
     -H "Authorization: Basic [token]"

To use the user’s uid, add the URL parameter as_user_uid:

curl 'https://[bridge]/api/learner/courses?as_user_uid=gwashington' \
     -H "Accept: application/json" \
     -H "Authorization: Basic [token]"

Masquerading could be useful in a number of use cases:

• For developing an admin tool
• For accessing APIs that can only be called on self (i.e. the learner course listing endpoint as shown above)
• For performing actions in bulk on a set of learners in your account, like signing them up for a live-training session

Example

In this example, we’ll see how we can easily sign up a number of learners to a live-training session (with an id of 1) in only a few lines of shell and cURL:

export HOST="https://[bridge]"
export TOKEN="..."

for user_id in {1,13,45,2,6}
do
  curl "${HOST}/api/learner/live_course_sessions/1/registration?as_user_id=${user_id}" \
       -X POST \
       -H "Accept: application/json" \
       -H "Authorization: Basic ${TOKEN}"
done