1. Proposed title of this feature request:

 Ability to impersonate the user who has privileges from multiple groups (Enhancement for User Impersonation) 

2. What is the nature and description of the request?

 As of now, if we had given a role to the group while trying to impersonate the user via the web console, we are not able to get the privileges that the user has attained via the group.

While performing impersonation of the user, what it does is that a request to the OpenShift Container Platform API is sent which includes an Impersonate-User header, which indicates that the requester wants to have the request handled as though it came from the specified user. After which it checks for the required permissions for that particular user and responds back, however, the catch here is that if we had applied the permission at the group level then the RBAC policy responds back with negative results for the users even when we had applied the role to the entire group. Here, we are not able to view the user privileges even after giving the corresponding role because we are giving that role to the group not specifically for a user, however, the role would get applied as expected.

If you had given permissions at the group level, then you need to try group impersonation by navigating to the Groups page under the User Management section of the navigation. Then click on the group, and select the Role Bindings tab, there, just as we do for user impersonation, open the menu for a particular group rolebindings and select “Impersonate Group ‘[group]’”.

But however, this feature is not achieving the real feat of "User Impersonation", because suppose if the user is getting privileges from two or more groups, then we can't impersonate both groups at the same time to see the net result in OpenShift webconsole.

3. Why does the customer need this? (List the business requirements here)

 A user may have permissions from multiple groups. Currently, we would be unable to see what another user's console shows them, which is the main goal of "User Impersonation".

4. List any affected packages or components.

 OpenShift Webconsole

In CLI, we have an option of giving multiple groups:

--as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

However, in the OpenShift console, currently, we are only able to impersonate as a single group/user.