CPR.co
For Admins

Switching tenants as a system admin

How sysadmins impersonate tenants via the Enter button, the tenant header dropdown, and the context cookie.

System administrators can act as any tenant for support, debugging, and migration work. The platform calls this "impersonation" and it is governed by a short-lived HttpOnly cookie.

Three ways to switch tenants

Pick the one that fits your workflow

  • System → Tenants → Enter — go to https://cpr.co/system/tenants, find a tenant in the list, click Enter. You land on /admin for that tenant.
  • Header tenant dropdown — in /admin, the sidebar header shows a TenantSelector if you are a system admin. Click it, pick a different tenant, and the page reloads in that tenant.
  • Cookie directly — for Claude chat "god mode," the impersonation is set per-conversation via target_tenant_id on PATCH /api/claude/conversations/[id]. Each tool call that writes is gated by the cross-tenant guard.

The docpr_tenant_context cookie

When you impersonate, we set docpr_tenant_context — an HttpOnly, SameSite=Lax cookie that lasts 8 hours. The server reads it on every request (via getActiveTenantId) and uses it to scope every query. You cannot see or edit this cookie from JavaScript; it protects against XSS-based impersonation escalation.

What changes while impersonating

Behavior during impersonation

  • All admin queries run against the selected tenant.
  • Your role is still system_admin — you retain system-level permissions.
  • Activity log entries record both the system user id and the impersonated tenant id.
  • A banner in the admin layout reminds you which tenant you are acting as.
  • Claude chat tool calls default to the impersonated tenant; cross-tenant writes (targetTenantId parameter) escalate autonomy to "Ask" regardless of the default.

Exiting impersonation

Click Exit in the impersonation banner, or navigate back to /system. The cookie is cleared and you return to system-admin mode.

⚠️
Important: Anything you change while impersonating is a real write against the tenant — bookings, deals, emails all fire as if that tenant did it. When in doubt, read-only audit is safer than write.
ℹ️
Note: Impersonation is logged to activity_log with action=impersonate_start and impersonate_end. Every tenant admin can see when a system admin entered their tenant.

Was this article helpful?

Still need help?

We're here for you — call or email us any time during business hours.

Mon–Fri 8am–5pm Central Time

Related articles

Getting started with your admin dashboard
Understand your dashboard at a glance — today's stats, action items, and quick access to everything.
A full tour of your admin dashboard
KPIs, greeting, Today's Classes, Action Items, Revenue & Pipeline, Recent Activity, and Quick Actions — all explained.
Finding any setting fast
The settings sidebar, category grid, search bar, and Recent Changes panel — how to get to any of the 29 settings categories without clicking around.
Back to For Admins
💬Chat with us