Impersonation not working for non-admin users via Script Includes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-09-2020 07:47 AM
Hi,
I have a business rule that invokes a function from a Script Includes which updates the status on "sc_task" by impersonating as an admin user. This functionality works fine when an admin invokes the business rule but the impersonation does not work (status update happens but not as an admin) when a non-admin process the same request. The Application is "Global" but the Accessible from is "This application scope only" on the Script Include. Do you think this is causing the issue or do we need the impersonation role even to impersonate via Script Include?.
var myUser = gs.getSession().impersonate(adminusersys_id);//Impersonate as admin
task.state = 'completed'; //Update task status
gs.getSession().impersonate(myUser); //Reset it back to logged in user
- Labels:
-
Scripting and Coding
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-09-2020 12:37 PM
You need to provide impersonate role to non admin to allow impersonation.Also, do one of following to allow non admin users to impersonate
- create a READ ACL on the sys_user.locked_out field and give it a role that your impersonators have (Impersonator role)
- Allow this base system ACL to pass for any role/user by removing the existing roles on the ACL sys_security_acl.do?sys_id=68918dc8a9020100bc4180c3c1bda548
Regards,
Sachin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-09-2020 02:10 PM
Thank you. Anyways to achieve this without the ACL?.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-09-2020 01:09 PM
Hello,
Non-Admin users cannot impersonate Admin users. They can impersonate others when they have the impersonator role but they will not receive any 'higher' roles than what their current account has. So as an Admin your script will work but as a Non-Admin it cannot impersonate an Admin account. Is there a reason you are attempting to do it that way? If the script is run from a Script Include then it will do so as the System not as the users who calls the logic.
--David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-09-2020 02:09 PM
The admin user is being used in an integration and wanted to update the SN record once we get the status back. I've noticed this functionality works for non-admin users w/o the ITIL role but failed when a user with ITIL role tries to trigger this. Any specific reason as to why this would only work for a subset of users?. If the script include runs as system then it should be the same for all non-admin users right?. And I did confirm that all our non-admin users do not have the impersonation role.
