History of impersonation

Vaibhav Sharma1
Tera Contributor

‎03-01-2024 12:50 PM

Hi All,

 

Is it possible to track history of who has made what changes by impersonating someone else

 

I have a scenario where some records have been modified on PROD instance. However, stakeholders are claiming that it is not done by them. We want to make sure that someone else has not done it by impersonating them or not.

0 Helpfuls
  • 1,444 Views
5 REPLIES 5

swathisarang98
Giga Sage
Giga Sage

‎03-01-2024 02:24 PM

Hi @Vaibhav Sharma1 ,

 

 

You can check few things ,

 

  1. Navigate system logs -> all -> in message type Impersonation you will get all the users who impersonated other users
  2. You can check Record updated by field and contact that person and ask what was the changes and you can check their login history activities and in the audit trail mentioned above you can check with that user name you will get an idea if someone impersonated this person
  3. If something was deleted you can look for backup or check deleted record module you will get who modified it
  4. If you are unable to resolve the issue on your own, you can contact ServiceNow support for assistance. They can help you investigate the issue and provide guidance on how to prevent similar incidents in the future.
  5. To prevent future incidents, you can implement security measures such as two-factor authentication, password policies, and access controls. You can also educate your users on how to recognise and report suspicious activities in the system.

 

Please mark this comment as Correct Answer/Helpful if it helped you.

Regards,

Swathi Sarang

AshishKM
Kilo Patron
Kilo Patron

‎03-01-2024 02:44 PM

Hi @Vaibhav Sharma1,

After you get the logs , you can check sessionid , IP and computer name and matched with any other similar log record and find the user who actually impersonated other user.

-Thanks,

AshishKM


Please mark this response as correct and helpful if it helps you can mark more that one reply as accepted solution

Mark Roethof
Tera Patron
Tera Patron

‎03-01-2024 09:51 PM

Hi there,

 

You can easily identify who impersonated who. Though identifying if someone impersonating really changed something and not the person itself?! Perhaps if you see that that person didn't login themselves at the same time, though else...

 

Better ofcourse: why would this even be possible at all in production? Sounds like something not really safe set up in your organisation, security, etc..

 

Kind regards,

 

Mark Roethof

Independent ServiceNow Consultant

10x ServiceNow MVP

---

 

~444 Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

LinkedIn

AJ-TechTrek
Giga Sage
Giga Sage

‎03-03-2024 11:51 PM

Hi @Vaibhav Sharma1 ,

 

Refer the below document which may help you.

 

https://www.process.st/how-to/check-impersonation-logs-in-servicenow/#:~:text=Go%20to%20ServiceNow%2....

 

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0717055

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

 

Thanks

AJ

Linkedin Profile:- https://www.linkedin.com/in/ajay-kumar-66a91385/

ServiceNow Community Rising Star 2024