# Admin Accounts and Impersonation
Administrator accounts for the various upstream services have additional access to, and control of, organization data. Depending on the upstream service, there are different requirements needed in order to access and successfully manipulate that data.
You can follow along and try out some of these API calls if you create a Kloudless application and connect an administrator account to your application. You can do so pretty easily via the Interactive Docs. Click on ‘Connect Admin Account”, select a service, and follow the steps to grant access. Once completed, you can try out some of the cases below!
Some upstream services have the concept of user-specific data. When this is the
case, administrator accounts need to supply this user’s information when
requesting their data. In order to pass this information Kloudless incorporates
a header X-Kloudless-As-User, which identifies the user whose data is being
accessed. In order to find this ID information Kloudless provides the Team
API. The [list team members
endpoint]((https://developers.kloudless.com/docs/v1/team#team-list-users) will
provide the team member’s IDs for use with the X-Kloudless-As-User header.
Using this endpoint with an admin account will retrieve more information about
the team’s users. Upstream services that use this structure are box,
dropbox, gdrive, and onedrivebiz.
For services where there is no concept of user-specific data, all data is
already available to admin users. As such, no additional steps need to be taken
to access the data. Services where this is the case are s3, sharepoint, and
egnyte.
Let’s take a closer look at how this might affect API calls as an administrator for the different upstream services. We’ll start off with an upstream service that has user-specific data. Take a look at the following curl request asking for information about the contents of a user’s root folder made as an administrator. Here are docs on the endpoint used.
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer
[Bearer token]' 'https://api.kloudless.com/v1/accounts/[Admin user
ID]/storage/folders/root/contents/'
This request (assuming you have admin access correctly configured on your
upstream service) will successfully return something. However, if you wanted
organization-wide data you would quickly realize you are only seeing the files
and folders that belong specifically to the administrator. Lets add that header
we mentioned earlier, X-Kloudless-As-User, along with a user ID that belongs
to a user in the organization.
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer
[Bearer token]' --header 'X-Kloudless-As-User: [User ID]'
'https://api.kloudless.com/v1/accounts/[Admin user
ID]/storage/folders/root/contents/'
By including that additional header, we are now able to access data that belongs to the user. The admin user can transform that data as needed. To access other users’ data, that admin can utilize the Team API endpoint to return information on the various team members, and thus access data as needed. This is how impersonation is used as an administrator to manage an organization’s data.
Next, let’s a look at a service where all data is already available to admin
users. We’ll look at how they interact with Kloudless API calls. The quickest
way to see if a given upstream service utilizes impersonation is by making a
query with the impersonation header, X-Kloudless-As-User.
curl -X GET --header 'Accept: application/json' --header 'X-Kloudless-As-User:
[User ID]' 'Authorization: Bearer [Bearer token]’
'https://api.kloudless.com/v1/accounts/[Admin user
ID]/storage/folders/root/contents/'
This will return an informative 501 error message, “SharePoint Online users cannot be impersonated”. If you see this message, try removing the added header used for impersonation.
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer
[Bearer token]’ 'https://api.kloudless.com/v1/accounts/[Admin user
ID]/storage/folders/root/contents/'
The returned information will include all data that the Kloudless user has access to. As this is an admin account for the upstream service, all data will be returned.