diff --git a/config/discourse_defaults.conf b/config/discourse_defaults.conf
index 722ee5228a6..c2dfe2f3e97 100644
--- a/config/discourse_defaults.conf
+++ b/config/discourse_defaults.conf
@@ -373,4 +373,7 @@ pg_force_readonly_mode = false
 dns_query_timeout_secs =
 
 # Default global regex timeout
-regex_timeout_seconds = 
+regex_timeout_seconds =
+
+# Allow impersonation function on the cluster to admins
+allow_impersonation = true
diff --git a/lib/guardian.rb b/lib/guardian.rb
index 3ea110c00ee..de7a380c5d8 100644
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@@ -297,7 +297,7 @@ class Guardian
 
   # Can we impersonate this user?
   def can_impersonate?(target)
-    target &&
+    GlobalSetting.allow_impersonation && target &&
       # You must be an admin to impersonate
       is_admin? &&
       # You may not impersonate other admins unless you are a dev
diff --git a/spec/lib/guardian_spec.rb b/spec/lib/guardian_spec.rb
index e6a4998faab..6207bce5baa 100644
--- a/spec/lib/guardian_spec.rb
+++ b/spec/lib/guardian_spec.rb
@@ -539,6 +539,10 @@ RSpec.describe Guardian do
   end
 
   describe "can_impersonate?" do
+    it "disallows impersonation when disabled globally" do
+      global_setting :allow_impersonation, false
+      expect(Guardian.new(admin).can_impersonate?(moderator)).to be_falsey
+    end
     it "allows impersonation correctly" do
       expect(Guardian.new(admin).can_impersonate?(nil)).to be_falsey
       expect(Guardian.new.can_impersonate?(user)).to be_falsey