Connect As
Connect As lets you sign in to a customer's Odoo environment as any active user — without knowing their password. This is the fastest way to reproduce a reported issue, provide hands-on support, or verify a fix as the affected person.
Every session is fully audited. You can see who signed in as whom, when, from what IP, and why. Sessions can be revoked at any time.
Connect As is available on the Starter plan and above. It requires the env.impersonation.initiate permission.
How It Works
- You pick a user from a searchable list of active Odoo accounts on the environment
- You enter a reason (required — it goes in the audit log)
- The platform generates a one-time session link and opens it in a new tab
- You are now signed in to Odoo as that user — no password, no cookie manipulation
- When you are done, close the tab or revoke the session from the audit panel
The session is injected directly into Odoo's session store. It expires automatically or can be killed immediately via the Revoke button.
Starting a Session
- Open your environment from the project page
- Click Connect As in the environment header (next to the Terminal button)
- Search for the user you want to sign in as
- Enter a reason (e.g., "Customer reported invoice view error")
- Click Connect
- A new tab opens with you signed in as that user
Connect As is available only when the environment is Running. If the environment is deploying, cloning, or stopped, the button is disabled.
Permissions Required
Connect As uses the existing permission matrix. The following permissions control each part of the feature:
| Permission | What It Controls |
|---|---|
env.impersonation.list_users | See the user picker in the Connect As dialog |
env.impersonation.initiate | Start a Connect As session |
env.impersonation.view_audit | View the session audit log |
env.impersonation.revoke | Kill an active session |
By default, Owners and Admins have all four permissions. Developers and Viewers do not. You can adjust these in Settings → Permissions.
Audit Log
Every Connect As session produces an immutable audit record:
| Field | What It Records |
|---|---|
| Who | The OEC.sh user who started the session |
| Target | The Odoo user they signed in as (login + display name) |
| When | Session start timestamp (UTC) |
| IP address | Client IP at the time of initiation |
| Reason | The reason entered at the start |
| Status | Initiated → Redeemed → Ended / Revoked |
To view the audit log:
- Open your environment
- Click Connect As in the header
- Click the Audit Log tab
Audit records are retained indefinitely and cannot be modified or deleted.
Revoking a Session
If you need to kill an active session immediately:
- Open the Connect As dialog
- Go to the Audit Log tab
- Find the session and click Revoke
- Enter an optional reason
Revoking immediately invalidates the session token and deletes the Odoo session from the database. The user is signed out on their next page request.
Tokens expire automatically after 5 minutes if unused and after the session ends naturally. Revocation is only needed if you want to force-end an active session before it closes on its own.
Supported Environments
Connect As works on:
- BYOS (Bring Your Own Server) environments — any server you have connected
- All Odoo versions 13.0 through 19.0
- Both custom-domain and auto-generated domain environments
Connect As requires the environment to have SSH access working and the Odoo container to be reachable. If the preflight checks for your server have failures, Connect As may not work until those are resolved.
Security Model
Connect As is built with defense-in-depth:
- One-time tokens — each session link works once and expires after 5 minutes if unused
- Rate limiting — a maximum of 5 initiations per hour per IP, 3 per minute per environment
- Reason required — every session must include a written justification
- Full audit trail — every action (initiate, redeem, end, revoke) is logged with user, IP, and timestamp
- Permission-gated — requires
env.impersonation.initiate; plan-gated to Starter and above - No password exposure — the target user's credentials are never read or transmitted
Impersonation audit events are also surfaced in the organization-level audit log, accessible to Owners at Settings → Security → Audit Log.