diff --git a/README.md b/README.md
index 3fddc81649..ace8b4f726 100644
--- a/README.md
+++ b/README.md
@@ -43,7 +43,7 @@ addon | version | maintainers | summary
 [base_user_show_email](base_user_show_email/) | 16.0.1.0.0 |  | Untangle user login and email
 [cross_connect_client](cross_connect_client/) | 16.0.1.1.0 | <a href='https://github.com/paradoxxxzero'><img src='https://github.com/paradoxxxzero.png' width='32' height='32' style='border-radius:50%;' alt='paradoxxxzero'/></a> | Cross Connect Client allows to connect to a Cross Connect Server enabled odoo instance.
 [cross_connect_server](cross_connect_server/) | 16.0.1.1.0 | <a href='https://github.com/paradoxxxzero'><img src='https://github.com/paradoxxxzero.png' width='32' height='32' style='border-radius:50%;' alt='paradoxxxzero'/></a> | Cross Connect Server allows Cross Connect Client to connect to it.
-[impersonate_login](impersonate_login/) | 16.0.1.0.0 | <a href='https://github.com/Kev-Roche'><img src='https://github.com/Kev-Roche.png' width='32' height='32' style='border-radius:50%;' alt='Kev-Roche'/></a> | tools
+[impersonate_login](impersonate_login/) | 16.0.1.0.1 | <a href='https://github.com/Kev-Roche'><img src='https://github.com/Kev-Roche.png' width='32' height='32' style='border-radius:50%;' alt='Kev-Roche'/></a> | tools
 [password_security](password_security/) | 16.0.1.0.4 |  | Allow admin to set password security requirements.
 [user_log_view](user_log_view/) | 16.0.1.0.0 | <a href='https://github.com/trojikman'><img src='https://github.com/trojikman.png' width='32' height='32' style='border-radius:50%;' alt='trojikman'/></a> | Allow to see user's actions log
 [users_ldap_groups](users_ldap_groups/) | 16.0.1.0.1 |  | Adds user accounts to groups based on rules defined by the administrator.
diff --git a/impersonate_login/README.rst b/impersonate_login/README.rst
index 77d52a2ee1..0dfab49eb9 100644
--- a/impersonate_login/README.rst
+++ b/impersonate_login/README.rst
@@ -1,3 +1,7 @@
+.. image:: https://odoo-community.org/readme-banner-image
+   :target: https://odoo-community.org/get-involved?utm_source=readme
+   :alt: Odoo Community Association
+
 =================
 Impersonate Login
 =================
@@ -7,13 +11,13 @@ Impersonate Login
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:4875867f60d80f01c7bb74137a9f9bbdc0dceffde3bd47d96af9d897cd8de1f6
+   !! source digest: sha256:78fb4aa559c1a3d38ba24a93003d382fe68a762624ce5aab4c211fbcb65c2f87
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
     :target: https://odoo-community.org/page/development-status
     :alt: Beta
-.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+.. |badge2| image:: https://img.shields.io/badge/license-AGPL--3-blue.png
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
@@ -35,15 +39,16 @@ clicking on the button "Back to Original User".
 To ensure that any abuse of this feature will not go unnoticed, the
 following measures are in place:
 
--  In the chatter, it is displayed who is the user that is logged as
-   another user.
--  Mails and messages are sent from the original user.
--  Impersonated logins are logged and can be consulted through the
-   Settings -> Technical menu.
--  
-
-There is an alternative module to allow logins as another user
-(auth_admin_passkey), but it does not support these security mechanisms.
+- In the chatter, it is displayed who is the user that is logged as
+  another user.
+- Mails and messages are sent from the original user.
+- Impersonated logins are logged and can be consulted through the
+  Settings -> Technical menu.
+- You can optionally forbid impersonation of users with "Administration:
+  Settings" rights by enabling the related option in the settings. There
+  is an alternative module to allow logins as another user
+  (auth_admin_passkey), but it does not support these security
+  mechanisms.
 
 **Table of contents**
 
@@ -55,6 +60,10 @@ Configuration
 
 The impersonating user must belong to group "Impersonate Users".
 
+If you want to prevent impersonation of users with the *Administration:
+Settings* rights, enable the *Restrict Impersonation of "Administration:
+Settings" Users* option in the settings.
+
 Usage
 =====
 
@@ -85,10 +94,10 @@ Authors
 Contributors
 ------------
 
--  Kévin Roche <kevin.roche@akretion.com>
--  `360ERP <https://www.360erp.com>`__:
+- Kévin Roche <kevin.roche@akretion.com>
+- `360ERP <https://www.360erp.com>`__:
 
-   -  Andrea Stirpe
+  - Andrea Stirpe
 
 Maintainers
 -----------
diff --git a/impersonate_login/__manifest__.py b/impersonate_login/__manifest__.py
index 23516e92ee..e4268480a2 100644
--- a/impersonate_login/__manifest__.py
+++ b/impersonate_login/__manifest__.py
@@ -5,7 +5,7 @@
 {
     "name": "Impersonate Login",
     "summary": "tools",
-    "version": "16.0.1.0.0",
+    "version": "16.0.1.0.1",
     "category": "Tools",
     "website": "https://github.com/OCA/server-auth",
     "author": "Akretion, Odoo Community Association (OCA)",
@@ -20,6 +20,7 @@
     "data": [
         "security/group.xml",
         "security/ir.model.access.csv",
+        "views/res_config_settings.xml",
         "views/res_users.xml",
         "views/impersonate_log.xml",
     ],
diff --git a/impersonate_login/i18n/impersonate_login.pot b/impersonate_login/i18n/impersonate_login.pot
index 48ec6d0765..e95544127e 100644
--- a/impersonate_login/i18n/impersonate_login.pot
+++ b/impersonate_login/i18n/impersonate_login.pot
@@ -25,6 +25,11 @@ msgstr ""
 msgid "Base"
 msgstr ""
 
+#. module: impersonate_login
+#: model:ir.model,name:impersonate_login.model_res_config_settings
+msgid "Config Settings"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_mail__body
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message__body
@@ -66,6 +71,13 @@ msgstr ""
 msgid "ID"
 msgstr ""
 
+#. module: impersonate_login
+#: model:ir.model.fields,help:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+msgid ""
+"If enabled, users with the 'Administration: Settings' access right cannot be"
+" impersonated."
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.actions.act_window,name:impersonate_login.impersonate_log_action
 msgid "Impersonate Login Logs"
@@ -92,6 +104,11 @@ msgstr ""
 msgid "Impersonated Logs"
 msgstr ""
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Impersonation Login"
+msgstr ""
+
 #. module: impersonate_login
 #. odoo-python
 #: code:addons/impersonate_login/models/res_users.py:0
@@ -132,6 +149,19 @@ msgstr ""
 msgid "Message"
 msgstr ""
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid ""
+"Prevents impersonating users that have the\n"
+"                                    \"Administration: Settings\" access rights."
+msgstr ""
+
+#. module: impersonate_login
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Restrict Impersonation of 'Administration: Settings' Users"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_impersonate_log__date_start
 msgid "Start Date"
@@ -157,3 +187,11 @@ msgstr ""
 #, python-format
 msgid "You are already Logged as another user."
 msgstr ""
+
+#. module: impersonate_login
+#. odoo-python
+#: code:addons/impersonate_login/models/res_users.py:0
+#, python-format
+msgid ""
+"You cannot impersonate users with 'Administration: Settings' access rights."
+msgstr ""
diff --git a/impersonate_login/i18n/it.po b/impersonate_login/i18n/it.po
index 64519c0067..7bf4c22b7a 100644
--- a/impersonate_login/i18n/it.po
+++ b/impersonate_login/i18n/it.po
@@ -28,6 +28,11 @@ msgstr "Riporta a utente originale"
 msgid "Base"
 msgstr "Base"
 
+#. module: impersonate_login
+#: model:ir.model,name:impersonate_login.model_res_config_settings
+msgid "Config Settings"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_mail__body
 #: model:ir.model.fields,field_description:impersonate_login.field_mail_message__body
@@ -69,6 +74,13 @@ msgstr "Instradamento HTTP"
 msgid "ID"
 msgstr "ID"
 
+#. module: impersonate_login
+#: model:ir.model.fields,help:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+msgid ""
+"If enabled, users with the 'Administration: Settings' access right cannot be "
+"impersonated."
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.actions.act_window,name:impersonate_login.impersonate_log_action
 msgid "Impersonate Login Logs"
@@ -95,6 +107,11 @@ msgstr "Imita autore"
 msgid "Impersonated Logs"
 msgstr "Imita registri"
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Impersonation Login"
+msgstr ""
+
 #. module: impersonate_login
 #. odoo-python
 #: code:addons/impersonate_login/models/res_users.py:0
@@ -125,7 +142,6 @@ msgstr "Registrato come"
 #. module: impersonate_login
 #. odoo-python
 #: code:addons/impersonate_login/models/mail_message.py:0
-#: code:addons/impersonate_login/models/mail_message.py:0
 #, python-format
 msgid "Logged in as {}"
 msgstr "Registrato come {}"
@@ -135,6 +151,20 @@ msgstr "Registrato come {}"
 msgid "Message"
 msgstr "Messaggio"
 
+#. module: impersonate_login
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid ""
+"Prevents impersonating users that have the\n"
+"                                    \"Administration: Settings\" access "
+"rights."
+msgstr ""
+
+#. module: impersonate_login
+#: model:ir.model.fields,field_description:impersonate_login.field_res_config_settings__restrict_impersonate_admin_settings
+#: model_terms:ir.ui.view,arch_db:impersonate_login.view_res_config_settings_impersonate
+msgid "Restrict Impersonation of 'Administration: Settings' Users"
+msgstr ""
+
 #. module: impersonate_login
 #: model:ir.model.fields,field_description:impersonate_login.field_impersonate_log__date_start
 msgid "Start Date"
@@ -160,3 +190,11 @@ msgstr "Utente"
 #, python-format
 msgid "You are already Logged as another user."
 msgstr "Si è già registrati come altro utente."
+
+#. module: impersonate_login
+#. odoo-python
+#: code:addons/impersonate_login/models/res_users.py:0
+#, python-format
+msgid ""
+"You cannot impersonate users with 'Administration: Settings' access rights."
+msgstr ""
diff --git a/impersonate_login/models/__init__.py b/impersonate_login/models/__init__.py
index debb66e9c1..d483c409d4 100644
--- a/impersonate_login/models/__init__.py
+++ b/impersonate_login/models/__init__.py
@@ -4,3 +4,4 @@
 from . import mail_message
 from . import impersonate_log
 from . import model
+from . import res_config_settings
diff --git a/impersonate_login/models/res_config_settings.py b/impersonate_login/models/res_config_settings.py
new file mode 100644
index 0000000000..04fbf9571f
--- /dev/null
+++ b/impersonate_login/models/res_config_settings.py
@@ -0,0 +1,15 @@
+from odoo import fields, models
+
+
+class ResConfigSettings(models.TransientModel):
+    _inherit = "res.config.settings"
+
+    restrict_impersonate_admin_settings = fields.Boolean(
+        string="Restrict Impersonation of 'Administration: Settings' Users",
+        config_parameter="impersonate_login.restrict_impersonate_admin_settings",
+        help=(
+            "If enabled, users with the 'Administration: Settings' access right"
+            " cannot be impersonated."
+        ),
+        default=False,
+    )
diff --git a/impersonate_login/models/res_users.py b/impersonate_login/models/res_users.py
index 27dd13f66a..5a1aaf4e2c 100644
--- a/impersonate_login/models/res_users.py
+++ b/impersonate_login/models/res_users.py
@@ -24,6 +24,20 @@ def _is_impersonate_user(self):
 
     def impersonate_login(self):
         if request:
+            config_restrict = (
+                self.env["ir.config_parameter"]
+                .sudo()
+                .get_param("impersonate_login.restrict_impersonate_admin_settings")
+            )
+            if config_restrict:
+                admin_settings_group = self.env.ref("base.group_system")
+                if admin_settings_group in self.groups_id:
+                    raise UserError(
+                        _(
+                            "You cannot impersonate users with"
+                            " 'Administration: Settings' access rights."
+                        )
+                    )
             if request.session.impersonate_from_uid:
                 if self.id == request.session.impersonate_from_uid:
                     return self.back_to_origin_login()
diff --git a/impersonate_login/readme/CONFIGURE.md b/impersonate_login/readme/CONFIGURE.md
index 33ebb6904a..649fb31c76 100644
--- a/impersonate_login/readme/CONFIGURE.md
+++ b/impersonate_login/readme/CONFIGURE.md
@@ -1 +1,5 @@
 The impersonating user must belong to group "Impersonate Users".
+
+If you want to prevent impersonation of users with the *Administration: Settings*
+rights, enable the *Restrict Impersonation of "Administration: Settings" Users*
+option in the settings.
diff --git a/impersonate_login/readme/DESCRIPTION.md b/impersonate_login/readme/DESCRIPTION.md
index cee4996cfb..757ab10e2b 100644
--- a/impersonate_login/readme/DESCRIPTION.md
+++ b/impersonate_login/readme/DESCRIPTION.md
@@ -6,6 +6,7 @@ To ensure that any abuse of this feature will not go unnoticed, the following me
 * In the chatter, it is displayed who is the user that is logged as another user.
 * Mails and messages are sent from the original user.
 * Impersonated logins are logged and can be consulted through the Settings -> Technical menu.
-* 
+* You can optionally forbid impersonation of users with "Administration: Settings"
+  rights by enabling the related option in the settings.
 There is an alternative module to allow logins as another user (auth_admin_passkey),
 but it does not support these security mechanisms.
diff --git a/impersonate_login/static/description/index.html b/impersonate_login/static/description/index.html
index bc3126b298..f0966d20f1 100644
--- a/impersonate_login/static/description/index.html
+++ b/impersonate_login/static/description/index.html
@@ -3,7 +3,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
-<title>Impersonate Login</title>
+<title>README.rst</title>
 <style type="text/css">
 
 /*
@@ -360,16 +360,21 @@
 </style>
 </head>
 <body>
-<div class="document" id="impersonate-login">
-<h1 class="title">Impersonate Login</h1>
+<div class="document">
 
+
+<a class="reference external image-reference" href="https://odoo-community.org/get-involved?utm_source=readme">
+<img alt="Odoo Community Association" src="https://odoo-community.org/readme-banner-image" />
+</a>
+<div class="section" id="impersonate-login">
+<h1>Impersonate Login</h1>
 <!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:4875867f60d80f01c7bb74137a9f9bbdc0dceffde3bd47d96af9d897cd8de1f6
+!! source digest: sha256:78fb4aa559c1a3d38ba24a93003d382fe68a762624ce5aab4c211fbcb65c2f87
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/impersonate_login"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-impersonate_login"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/license-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/impersonate_login"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-impersonate_login"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows one user (for example, a member of the support team)
 to log in as another user. The impersonation session can be exited by
 clicking on the button “Back to Original User”.</p>
@@ -381,10 +386,12 @@ <h1 class="title">Impersonate Login</h1>
 <li>Mails and messages are sent from the original user.</li>
 <li>Impersonated logins are logged and can be consulted through the
 Settings -&gt; Technical menu.</li>
-<li></li>
+<li>You can optionally forbid impersonation of users with “Administration:
+Settings” rights by enabling the related option in the settings. There
+is an alternative module to allow logins as another user
+(auth_admin_passkey), but it does not support these security
+mechanisms.</li>
 </ul>
-<p>There is an alternative module to allow logins as another user
-(auth_admin_passkey), but it does not support these security mechanisms.</p>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
 <ul class="simple">
@@ -400,11 +407,14 @@ <h1 class="title">Impersonate Login</h1>
 </ul>
 </div>
 <div class="section" id="configuration">
-<h1><a class="toc-backref" href="#toc-entry-1">Configuration</a></h1>
+<h2><a class="toc-backref" href="#toc-entry-1">Configuration</a></h2>
 <p>The impersonating user must belong to group “Impersonate Users”.</p>
+<p>If you want to prevent impersonation of users with the <em>Administration:
+Settings</em> rights, enable the <em>Restrict Impersonation of “Administration:
+Settings” Users</em> option in the settings.</p>
 </div>
 <div class="section" id="usage">
-<h1><a class="toc-backref" href="#toc-entry-2">Usage</a></h1>
+<h2><a class="toc-backref" href="#toc-entry-2">Usage</a></h2>
 <ol class="arabic simple">
 <li>In the menu that is displayed when clicking on the user avatar on the
 top right corner, or in the res.users list, click “Switch Login” to
@@ -414,7 +424,7 @@ <h1><a class="toc-backref" href="#toc-entry-2">Usage</a></h1>
 </ol>
 </div>
 <div class="section" id="bug-tracker">
-<h1><a class="toc-backref" href="#toc-entry-3">Bug Tracker</a></h1>
+<h2><a class="toc-backref" href="#toc-entry-3">Bug Tracker</a></h2>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
@@ -422,15 +432,15 @@ <h1><a class="toc-backref" href="#toc-entry-3">Bug Tracker</a></h1>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h1><a class="toc-backref" href="#toc-entry-4">Credits</a></h1>
+<h2><a class="toc-backref" href="#toc-entry-4">Credits</a></h2>
 <div class="section" id="authors">
-<h2><a class="toc-backref" href="#toc-entry-5">Authors</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-5">Authors</a></h3>
 <ul class="simple">
 <li>Akretion</li>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h2><a class="toc-backref" href="#toc-entry-6">Contributors</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-6">Contributors</a></h3>
 <ul class="simple">
 <li>Kévin Roche &lt;<a class="reference external" href="mailto:kevin.roche&#64;akretion.com">kevin.roche&#64;akretion.com</a>&gt;</li>
 <li><a class="reference external" href="https://www.360erp.com">360ERP</a>:<ul>
@@ -440,7 +450,7 @@ <h2><a class="toc-backref" href="#toc-entry-6">Contributors</a></h2>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h2><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h3>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org">
 <img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
@@ -455,5 +465,6 @@ <h2><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h2>
 </div>
 </div>
 </div>
+</div>
 </body>
 </html>
diff --git a/impersonate_login/tests/test_impersonate_login.py b/impersonate_login/tests/test_impersonate_login.py
index ad0665c4ee..313239ce99 100644
--- a/impersonate_login/tests/test_impersonate_login.py
+++ b/impersonate_login/tests/test_impersonate_login.py
@@ -258,3 +258,37 @@ def test_04_write_uid(self):
         self.assertEqual(result, True)
         self.assertEqual(contact.ref, "abc")
         self.assertEqual(contact.write_uid, self.admin_user)
+
+    def test_05_limit_access_to_admin(self):
+        """
+        Test restriction on impersonating admin users
+        with 'Administration: Settings' access rights.
+        """
+        config_settings = self.env["res.config.settings"].create(
+            {"restrict_impersonate_admin_settings": True}
+        )
+        config_settings.execute()
+
+        config_restrict = (
+            self.env["ir.config_parameter"]
+            .sudo()
+            .get_param("impersonate_login.restrict_impersonate_admin_settings")
+        )
+        self.assertTrue(config_restrict)
+
+        admin_settings_group = self.env.ref("base.group_system")
+        self.admin_user.groups_id += admin_settings_group
+
+        self.authenticate(user="demo", password="demo")
+        self.assertEqual(self.session.uid, self.demo_user.id)
+
+        self.demo_user.groups_id += self.env.ref(
+            "impersonate_login.group_impersonate_login"
+        )
+
+        with mute_logger("odoo.http"):
+            data = self._impersonate_user(self.admin_user)
+        self.assertEqual(
+            data["error"]["data"]["message"],
+            "You cannot impersonate users with 'Administration: Settings' access rights.",
+        )
diff --git a/impersonate_login/views/res_config_settings.xml b/impersonate_login/views/res_config_settings.xml
new file mode 100644
index 0000000000..9d51519540
--- /dev/null
+++ b/impersonate_login/views/res_config_settings.xml
@@ -0,0 +1,36 @@
+<odoo>
+    <record id="view_res_config_settings_impersonate" model="ir.ui.view">
+        <field name="name">res.config.settings.impersonate</field>
+        <field name="model">res.config.settings</field>
+        <field name="inherit_id" ref="base_setup.res_config_settings_view_form" />
+        <field name="arch" type="xml">
+            <xpath expr="//div[@id='user_default_rights']" position="after">
+                <div id="impersonate_login">
+                    <h2>Impersonation Login</h2>
+                    <div
+                        class="row mt16 o_settings_container"
+                        name="impersonate_login_settings_container"
+                    >
+                        <div
+                            class="col-12 col-lg-6 o_setting_box"
+                            id="impersonate_login_settings"
+                        >
+                            <div class="o_setting_left_pane">
+                                <field name="restrict_impersonate_admin_settings" />
+                            </div>
+                            <div class="o_setting_right_pane">
+                                <label for="restrict_impersonate_admin_settings">
+                                    Restrict Impersonation of 'Administration: Settings' Users
+                                </label>
+                                <div class="text-muted">
+                                    Prevents impersonating users that have the
+                                    "Administration: Settings" access rights.
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </xpath>
+        </field>
+    </record>
+</odoo>
