Impersonate User for non-admin users

Permalink · ‎06-11-2009

Hi all,

I know that out of the box Service-Now only allows users with the admin role to impersonate other users. We are running domain separated and have "admins" in each domain (without the actual admin role) that we would like to be able to impersonate their users. I've been able to modify the UI Page and UI Macros scripts so that the button appears for them and it runs a simple check so they can't impersonate a user with the admin role, however the system still does not let a user without the admin role perform an impersonation. It looks to me like there is some additional check in the session.onlineImpersonate() function, has anyone been able to get around this? Is this an enhancement request?

Here are the changes I made:

UI Page- impersonate_dialog HTML:


<g:ui_form>
<g:evaluate var="jvar_impersonate_name" expression="gs.getImpersonatingUserName()" />
<g:evaluate var="jvar_imp_display_name" expression="gs.getImpersonatingUserDisplayName()" />
<g:evaluate>
       var name = gs.getImpersonatingUserName();
       var actual_user = null;
       if (name == null || name == '')
               actual_user = user;
       else
               actual_user = Packages.com.glide.sys.User.getUser(name);
       var recent_impersonations = actual_user.getPreference('recent.impersonations');

       var admin_role=actual_user.hasRole("admin");
</g:evaluate>

<input type="hidden" name="imp_type" id="imp_type" value="" />
<input type="hidden" name="admin_role" id="admin_role" value="${admin_role}" />
<table width="100%">
<tr id="select_row">
                       <td>
                               <table>
                                         <tr>
                                                 <td>Recent Impersonations</td>
                                         </tr>
                                         <tr>
                                                     <td nowrap="true">
                                                             <select id="imp_recent" multiple="true" size="6" name="imp_recent" style="width:250px" onclick="clearRef()" ondblclick="gel('ok_button').click()">
                                                                     <g:impersonate_choices history ="${recent_impersonations}" />
                                                             </select>
                                                     </td>
                                         </tr>
                                         <tr>
               <td nowrap="true" align="right">
       <g:ui_reference name="sys_user" table="sys_user" onchange="clearSelect()"/>
               </td>
                                             </tr>
                               </table>
       </td>
               </tr>
<tr id ="poll_img" style="display:none" border="1">
<td colspan="2"   align="center" width="300px">
<img src="./images/ajax-loader.gifx" />
                                               <p id="poll_text" style="font-weight:bold;">
${gs.getMessage('Please Wait')}
</p>
</td>
</tr>
               <tr>
                       <td colspan="2"><br /></td>
               </tr>
               <tr id="dialog_buttons">
                               <td colspan="2" align="right">
                                       <g:dialog_buttons_ok_cancel ok="return impOk()" ok_id="ok_button" cancel_type="button" />
                               </td>
               </tr>
</table>
</g:ui_form>

UI Page - impersonate_dialog Client Script fuction impOk():


function impOk() {
var admin_role = gel('admin_role').value;
var impName;

var is_ok = false;
var sys_user = gel('sys_user');
if (sys_user.value != '')
{
is_ok = true;
impName = sys_user.value;
}

var imp_recent = gel('imp_recent');

if (imp_recent.value != '')
{
is_ok = true;
impName = imp_recent.value;
}

if (is_ok &amp;&amp; admin_role=="false")
{
var roleAdmin = new GlideRecord("sys_user_role");
roleAdmin.addQuery('name','admin');
roleAdmin.query();
roleAdmin.next();

var objImp = new GlideRecord("sys_user_has_role");
objImp.addQuery("role",roleAdmin.sys_id);
objImp.addQuery("user",impName);
objImp.query();

if (objImp.next())
{
alert("You do not have permissions to impersonate an admin user");
return false;
}

}

if (!is_ok) {
alert('Please select a user to impersonate');
return false;
}

return true;
}

ImpersonateButton.jsdbx - updateImpersonateForLogin:


updateImpersonateForLogin: function(/* GlideUser */ user) {
               // if you don't have the admin role and haven't previously impersonated, hide the button
               var got_it = user.hasRole("admin");

if (user.hasRole("domain_admin"))
                     got_it = true;

               if (this.toggle_field.value != "")
                     got_it = true;

               if (!got_it) {
                       hideObject(this.span);
                       return;
               }

               showObjectInline(this.span);
       }

Mark Stanger · ‎04-27-2011

FYI. This functionality has now been added to the product as of the June 2011 Preview 2 release.

http://wiki.service-now.com/index.php?title=June_2011_Preview_2_Notable_Changes#impersonator_role

sherman_1206 · ‎05-05-2011

Great news Mark!

Though I hate it when you spend a week or two implementing something to find out its going to be packaged in a future update. 🙂

Is there anyway we can keep closer on potential upcoming feature's to be included so we can consider these when we are looking at what projects are worth doing and in cases like this most likely determine its not worth the effort and we would be better waiting?

Mark Stanger · ‎05-05-2011

The only way currently is to pay attention to the release notes on the wiki. I know the documentation team is pushing harder every release to get the notes out earlier.

sherman_1206 · ‎05-06-2011

Thanks Mark, I agree it does seem they are coming out sooner and with more depth. Additionally, I can say the wiki content has certainly improved over the last 6 months.