Is it possible to limit the impersonification role to certain modules?

alebuc · ‎09-16-2019

Hi,

we need certain users to be able to impersonate others users and be able to add a time card in their place.

The partial solution we thought is:

1 - Give the role "impersonate_role" to the group of users, IMPERSONATE GROUP, who can add a time card for someone;

2 - Create a custom field of type “list” in sys_user, "Delegate for", that contain the people for who a user of IMPERSONATE GROUP is delegated to add a time card;

3 - Modify the UI Page "impersonate_dialog" to make sure that the impersonation function is limited to the people that are in the "Delegate for" field;

4 - At this point it is possible to limit, in the impersonation phase, the use of only certain modules, in this case access the worker portal and add the time card as per the other user?

Quoting a little from Impersonate a user from the servicenow documentation:

IT System Administrators [admin] can impersonate ServiceNow users. However, when impersonating a user with an application admin role for Human Resources or Security The access bar is also restricted. Also, admin can not change the password.

This is possible to achieve by modify the script include "ImpersonateEvaluator" and how?

If there any other way to achieve the same results I’m open to suggestions.

Thanks,

Alessio

Allen Andreas · ‎09-16-2019

Hi,

Allowing someone else to enter a time card on behalf of someone else really should be handled by a separate process itself. Perhaps you can create a custom role with ACL permissions that allow this behavior? Versus trying to give out impersonator (which has security and other impacts to your instance). I believe you may want to return to the drawing board and reassess this.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Lucas Alves · ‎09-16-2019

Hi Alessio,

Have you considered giving the role (timecard_admin) to users who need to make the modifications and granting timecard_user role to users?

I believe this would meet the requirement because users with timecard_admin could enter records for someone else without having to impersonate them.

Please mark the answer as Helpful / Correct if I contributed to you.

Community Alums · ‎09-16-2019

This is not the correct use of impersonation. You just need users to be able to create records on behalf of someone else, not as someone else.

Impersonation is best used as a testing tool to see the application through the eyes of others with different roles.

sunil kumar6 · ‎02-24-2023

Hello @alebuc

Can you please share what Modification you have done on UI Page "impersonate_dialog"