Impersonate User for non-admin users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-11-2009 09:48 AM
Hi all,
I know that out of the box Service-Now only allows users with the admin role to impersonate other users. We are running domain separated and have "admins" in each domain (without the actual admin role) that we would like to be able to impersonate their users. I've been able to modify the UI Page and UI Macros scripts so that the button appears for them and it runs a simple check so they can't impersonate a user with the admin role, however the system still does not let a user without the admin role perform an impersonation. It looks to me like there is some additional check in the session.onlineImpersonate() function, has anyone been able to get around this? Is this an enhancement request?
Here are the changes I made:
UI Page- impersonate_dialog HTML:
<g:ui_form>
<g:evaluate var="jvar_impersonate_name" expression="gs.getImpersonatingUserName()" />
<g:evaluate var="jvar_imp_display_name" expression="gs.getImpersonatingUserDisplayName()" />
<g:evaluate>
var name = gs.getImpersonatingUserName();
var actual_user = null;
if (name == null || name == '')
actual_user = user;
else
actual_user = Packages.com.glide.sys.User.getUser(name);
var recent_impersonations = actual_user.getPreference('recent.impersonations');
var admin_role=actual_user.hasRole("admin");
</g:evaluate>
<input type="hidden" name="imp_type" id="imp_type" value="" />
<input type="hidden" name="admin_role" id="admin_role" value="${admin_role}" />
<table width="100%">
<tr id="select_row">
<td>
<table>
<tr>
<td>Recent Impersonations</td>
</tr>
<tr>
<td nowrap="true">
<select id="imp_recent" multiple="true" size="6" name="imp_recent" style="width:250px" onclick="clearRef()" ondblclick="gel('ok_button').click()">
<g:impersonate_choices history ="${recent_impersonations}" />
</select>
</td>
</tr>
<tr>
<td nowrap="true" align="right">
<g:ui_reference name="sys_user" table="sys_user" onchange="clearSelect()"/>
</td>
</tr>
</table>
</td>
</tr>
<tr id ="poll_img" style="display:none" border="1">
<td colspan="2" align="center" width="300px">
<img src="./images/ajax-loader.gifx" />
<p id="poll_text" style="font-weight:bold;">
${gs.getMessage('Please Wait')}
</p>
</td>
</tr>
<tr>
<td colspan="2"><br /></td>
</tr>
<tr id="dialog_buttons">
<td colspan="2" align="right">
<g:dialog_buttons_ok_cancel ok="return impOk()" ok_id="ok_button" cancel_type="button" />
</td>
</tr>
</table>
</g:ui_form>
UI Page - impersonate_dialog Client Script fuction impOk():
function impOk() {
var admin_role = gel('admin_role').value;
var impName;
var is_ok = false;
var sys_user = gel('sys_user');
if (sys_user.value != '')
{
is_ok = true;
impName = sys_user.value;
}
var imp_recent = gel('imp_recent');
if (imp_recent.value != '')
{
is_ok = true;
impName = imp_recent.value;
}
if (is_ok && admin_role=="false")
{
var roleAdmin = new GlideRecord("sys_user_role");
roleAdmin.addQuery('name','admin');
roleAdmin.query();
roleAdmin.next();
var objImp = new GlideRecord("sys_user_has_role");
objImp.addQuery("role",roleAdmin.sys_id);
objImp.addQuery("user",impName);
objImp.query();
if (objImp.next())
{
alert("You do not have permissions to impersonate an admin user");
return false;
}
}
if (!is_ok) {
alert('Please select a user to impersonate');
return false;
}
return true;
}
ImpersonateButton.jsdbx - updateImpersonateForLogin:
updateImpersonateForLogin: function(/* GlideUser */ user) {
// if you don't have the admin role and haven't previously impersonated, hide the button
var got_it = user.hasRole("admin");
if (user.hasRole("domain_admin"))
got_it = true;
if (this.toggle_field.value != "")
got_it = true;
if (!got_it) {
hideObject(this.span);
return;
}
showObjectInline(this.span);
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-10-2011 04:59 AM
Where does the last code snippet go for function updateImpersonateForLogin? That was the part I was confused about.
This would be a nice update set to have for test/dev instances. It streamlines testing process by being able to jump around to various accounts instead of logging in/logging out with dummy accounts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-10-2011 06:07 AM
Looks like it goes under the 'ImpersonateButton' UI Script
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-10-2011 10:04 AM
never mind, it works now
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-10-2011 10:31 AM
I just tried this in demo and it appears it did not work. I added domain_admin role, gave that role to ITIL user and added the scripts accordingly where they belong.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-27-2011 08:10 AM
This is working great!
I did make an adjustment to the "impersonateButton" UI Script changes for updateImpersonateForLogin as it was not showing the icon for any users with the original in my system.
updateImpersonateForLogin: function(/* GlideUser */ user) {
// if you don't have the admin role and haven't previously impersonated, hide the button
var got_it = user.hasRole("admin");
var got_it2 = user.hasRole("domain_admin");
var toggle_field = gel(this.toggle_field_name);
if (toggle_field.value != "")
got_it = true;
var span = gel(this.span_name);
if (!got_it && !got_it2) {
hideObject(span);
return;
}
showObjectInline(span);
}
Thanks for your work on this!
