Impersonation

snowlearner · ‎09-06-2015

Can I identify whether the ticket is created by 'ABC' user or 'DEF' user ( who just impersonated with 'ABC' and created the ticket).

PS- 'ABC' is an itil user and 'DEF' is an admin user

bernyalvarado · ‎09-06-2015

Hi, some thoughts that could be helpful:

a) You may be able to determine which was the user doing the impersonation by matching the times on which the impersonations took place and the incident created time.

b) Be aware that incidents could be created on multiple ways. A common one in many instances is that instances may be created as a result of an incoming email to the ServiceNow email account which results in a creation of an incident when the respective inbound action is enabled.

c) I will recommend that generic user user accounts are either disabled or left to only 1 trusted administrator responsible for instance. Admin or Securitty Admins should have their own accounts with the respective required admin roles. In this way it will be easy to trace which user is doing which action and assure accountability for it.

Thanks,

Berny

View solution in original post

snowlearner · ‎09-06-2015

Can't we track the IP through which the ticket was raised into snow.

bernyalvarado · ‎09-06-2015

You do at System Logs >> Client Transactions

Thanks,

Berny

snowlearner · ‎09-07-2015

Thanks

bernyalvarado · ‎09-10-2015

You're welcome!

Do you believe we can close this thread by marking one of the responses as correct?

Thanks,

Berny

Pradeep Sharma · ‎09-06-2015

Hi Snow,

Just to add, You may also find the below blogs helpful.

https://community.servicenow.com/people/Garrick/blog/2012/08/21/2140

https://community.servicenow.com/people/CapaJC/blog/2012/06/12/1837