The SU for Jira app works by changing your current user session to the user of your choice, then, from Jira's point of view, you have effectively logged in (without having to supply the user's password) as the selected user.

Now that you understand this, it should be obvious that this technique could be potentially misused in the wrong hands. You can restrict access to the SU functionality by going to the UPM and clicking on the Configure button of the SU for Jira app. This will then allow you to restrict access to selected groups.

One useful feature is its audit log. Every time someone uses the SU function, it is logged in the system, so administrators can always go and check if someone has been abusing it. You can access the SU Audit Log by navigating to Administration > System > SU Audit Log.