Impersonate User for non-admin users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-11-2009 09:48 AM
Hi all,
I know that out of the box Service-Now only allows users with the admin role to impersonate other users. We are running domain separated and have "admins" in each domain (without the actual admin role) that we would like to be able to impersonate their users. I've been able to modify the UI Page and UI Macros scripts so that the button appears for them and it runs a simple check so they can't impersonate a user with the admin role, however the system still does not let a user without the admin role perform an impersonation. It looks to me like there is some additional check in the session.onlineImpersonate() function, has anyone been able to get around this? Is this an enhancement request?
Here are the changes I made:
UI Page- impersonate_dialog HTML:
<g:ui_form>
<g:evaluate var="jvar_impersonate_name" expression="gs.getImpersonatingUserName()" />
<g:evaluate var="jvar_imp_display_name" expression="gs.getImpersonatingUserDisplayName()" />
<g:evaluate>
var name = gs.getImpersonatingUserName();
var actual_user = null;
if (name == null || name == '')
actual_user = user;
else
actual_user = Packages.com.glide.sys.User.getUser(name);
var recent_impersonations = actual_user.getPreference('recent.impersonations');
var admin_role=actual_user.hasRole("admin");
</g:evaluate>
<input type="hidden" name="imp_type" id="imp_type" value="" />
<input type="hidden" name="admin_role" id="admin_role" value="${admin_role}" />
<table width="100%">
<tr id="select_row">
<td>
<table>
<tr>
<td>Recent Impersonations</td>
</tr>
<tr>
<td nowrap="true">
<select id="imp_recent" multiple="true" size="6" name="imp_recent" style="width:250px" onclick="clearRef()" ondblclick="gel('ok_button').click()">
<g:impersonate_choices history ="${recent_impersonations}" />
</select>
</td>
</tr>
<tr>
<td nowrap="true" align="right">
<g:ui_reference name="sys_user" table="sys_user" onchange="clearSelect()"/>
</td>
</tr>
</table>
</td>
</tr>
<tr id ="poll_img" style="display:none" border="1">
<td colspan="2" align="center" width="300px">
<img src="./images/ajax-loader.gifx" />
<p id="poll_text" style="font-weight:bold;">
${gs.getMessage('Please Wait')}
</p>
</td>
</tr>
<tr>
<td colspan="2"><br /></td>
</tr>
<tr id="dialog_buttons">
<td colspan="2" align="right">
<g:dialog_buttons_ok_cancel ok="return impOk()" ok_id="ok_button" cancel_type="button" />
</td>
</tr>
</table>
</g:ui_form>
UI Page - impersonate_dialog Client Script fuction impOk():
function impOk() {
var admin_role = gel('admin_role').value;
var impName;
var is_ok = false;
var sys_user = gel('sys_user');
if (sys_user.value != '')
{
is_ok = true;
impName = sys_user.value;
}
var imp_recent = gel('imp_recent');
if (imp_recent.value != '')
{
is_ok = true;
impName = imp_recent.value;
}
if (is_ok && admin_role=="false")
{
var roleAdmin = new GlideRecord("sys_user_role");
roleAdmin.addQuery('name','admin');
roleAdmin.query();
roleAdmin.next();
var objImp = new GlideRecord("sys_user_has_role");
objImp.addQuery("role",roleAdmin.sys_id);
objImp.addQuery("user",impName);
objImp.query();
if (objImp.next())
{
alert("You do not have permissions to impersonate an admin user");
return false;
}
}
if (!is_ok) {
alert('Please select a user to impersonate');
return false;
}
return true;
}
ImpersonateButton.jsdbx - updateImpersonateForLogin:
updateImpersonateForLogin: function(/* GlideUser */ user) {
// if you don't have the admin role and haven't previously impersonated, hide the button
var got_it = user.hasRole("admin");
if (user.hasRole("domain_admin"))
got_it = true;
if (this.toggle_field.value != "")
got_it = true;
if (!got_it) {
hideObject(this.span);
return;
}
showObjectInline(this.span);
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-11-2009 10:02 AM
The check for admin is hardcoded in Java.
However, looking at the code, you might try creating a new property in your instance.
Property name: glide.sys.permissive.impersonate
Type: True/False
If I'm reading things right, setting that new property to true might give you the desired behavior and bypass the hardcoded check for the admin role. It should probably be used with caution, as I doubt that extensive intrusion testing has been done when that property exists and is set to true.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-11-2009 10:53 AM
Once again I'm impressed with you guys. So far that is doing exactly what we want.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-17-2010 11:59 PM
Hi CapaJC,
This property doesn't seem to work for me. Any hints? It's a true/false which I set to 'true'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-18-2010 07:31 AM
Have you also made all the changes Steve oulined at the start of this post? I just looked, and the property is still checked on the back end. But you'll still need to edit some things in the instance first to let non-admins see/use the capability. If you have done that, and it's still not working, I'm afraid I don't have any additional advice, since my info was coming solely from looking at the hardcoded Java bit add seeing where that property gets checked. Maybe someone else will chime in.
