Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Impersonation

Go to solution
snowlearner
Kilo Expert

‎09-06-2015 05:32 AM

Can I identify whether the ticket is created by 'ABC' user or 'DEF' user ( who just impersonated with 'ABC' and created the ticket).

PS- 'ABC' is an itil user and 'DEF' is an admin user

0 Helpfuls
  • 4,048 Views
1 ACCEPTED SOLUTION

Go to solution
bernyalvarado
Mega Sage
In response to snowlearner

‎09-06-2015 05:37 PM

Hi, some thoughts that could be helpful:



a) You may be able to determine which was the user doing the impersonation by matching the times on which the impersonations took place and the incident created time.



b) Be aware that incidents could be created on multiple ways. A common one in many instances is that instances may be created as a result of an incoming email to the ServiceNow email account which results in a creation of an incident when the respective inbound action is enabled.



c) I will recommend that generic user user accounts are either disabled or left to only 1 trusted administrator responsible for instance. Admin or Securitty Admins should have their own accounts with the respective required admin roles. In this way it will be easy to trace which user is doing which action and assure accountability for it.



Thanks,


Berny


View solution in original post

0 Helpfuls
13 REPLIES 13

Go to solution
Kalaiarasan Pus
Giga Sage

‎09-06-2015 06:23 AM

One way to find is to check system logs... It will have entry such as this one when someone impersonates



'Impersonation start: Abel Tuter (abel.tuter) by: System Administrator (admin)'


Go to solution
snowlearner
Kilo Expert
In response to Kalaiarasan Pus

‎09-06-2015 07:45 AM

Thanks Kalaiasaran, but I already know that.



Let me frame my question this way -



If I get to see in the Logs - 'Impersonation start: Abel Tuter (abel.tuter) by: System Administrator (admin)' and also this - "'Impersonation start: Abel Tuter (abel.tuter) by: ITIL user'"



Now as you can see that the Abel has been impersonated with two IDs (admin and ITIL users), now how should I be knowing whether the ticket - INCXXXXX has been created by admin or ITIL as Abel is denying that he hasn't raised this ticket and someone else must have impersonated with his ID and created the incident.



Do we have any way to track the actions being performed by impersonating with someone else's ID.


0 Helpfuls

Go to solution
bernyalvarado
Mega Sage
In response to snowlearner

‎09-06-2015 05:37 PM

Hi, some thoughts that could be helpful:



a) You may be able to determine which was the user doing the impersonation by matching the times on which the impersonations took place and the incident created time.



b) Be aware that incidents could be created on multiple ways. A common one in many instances is that instances may be created as a result of an incoming email to the ServiceNow email account which results in a creation of an incident when the respective inbound action is enabled.



c) I will recommend that generic user user accounts are either disabled or left to only 1 trusted administrator responsible for instance. Admin or Securitty Admins should have their own accounts with the respective required admin roles. In this way it will be easy to trace which user is doing which action and assure accountability for it.



Thanks,


Berny


0 Helpfuls

Go to solution
bernyalvarado
Mega Sage
In response to bernyalvarado

‎09-06-2015 05:38 PM

I hope this is helpful!



Thanks,


Berny


0 Helpfuls