The way I set it up is that the user must first log in to an administrator-level account before they can impersonate another user by entering a username or ID.