I can also confirm that this is extremely common and basically standard practice. I frequently emulate my users when doing tech support. Even if this wasn't the case, unless everything in the database were encrypted per user, I could just query for their data.