Run query as another user

Cris P · ‎06-22-2022

Good morning everyone,

I have a catalog item variable which is referencing sc_cat_item table. I have the following reference qualifier for the variable:

javascript: new OnBehalfOfCatItm().getQuery(current.variables.requested_for, gs.getUserID());

The above ref qual is using the following Script Include method:

getQuery: function(onBehalfOf, currentUser){
	//gs.info('cris3Behalf' + onBehalfOf);
	//gs.info('cris3CurrUser' + currentUser);

	gs.getSession().impersonate(onBehalfOf); // impersonate the user from our other cat item variable
	var arr = [];
	var gr = new GlideRecord('sc_cat_item');
	gr.query(); // query the table as the user impersonated
	while(gr.next()){
		arr.push(gr.getUniqueValue()); // populate array with sys_id of cat items they can see
	}
	//gs.getSession().impersonate(currentUser);
	gs.getSession().onlineUnimpersonate(); // unimpersonate

	return 'sys_idIN' + arr; // return the query to our ref qual, all the sys_id of the cat items the selected user can see
}

This is working fine if the currentUser has impersonate role; the ref qual is returning the correct catalog items to be selected in the variable.

This however does not work if the currentUser does not have impersonate role.

My question: Is there a way of getting a list of results for what a specified user (in this case onBehalfOf), can see in a table?

Allen Andreas · ‎06-22-2022

Hello,

Unfortunately, if that user doesn't have the appropriate role (like admin or impersonate) then their session can't impersonate someone else and even if you did and returning an array of catalog item sys_ids, there's still query business rules and then ACLs which could/would limit what ends up showing. The reference qual happens before both of those things.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Cris P · ‎06-22-2022

Hi there, thanks for your response.

The reason I was impersonating the user to return a list of catalog items is so the items returned would be a true reflection of what they can see in that table (sc_cat_item), which would take into account query BR.

I got around it in the end by just adding the role in the script then removing it:

getQuery: function(onBehalfOf, currentUser){
	var impersonateRole = this._tempImpersonateRole(currentUser); //adds the impersonate role and returns the sys_id
	var deleteRole;
	var sm;
	gs.getSession().impersonate(onBehalfOf); // impersonate user in behalf of variable field
	var arr = [];
	var gr = new GlideRecordSecure('sc_cat_item');
	gr.query();
	while(gr.next()){
		arr.push(gr.getUniqueValue());
	}
	gs.getSession().onlineUnimpersonate(); // now the array is populated, unimpersonate

	deleteRole = new GlideRecord('sys_user_has_role'); // lookup the newly created m2m role record
	deleteRole.get(impersonateRole);
	deleteRole.deleteRecord(); // delete the record

	sm = GlideSecurityManager.get(); // refreshes the user session so newly removed role taken into account
	sm.setUser(gs.getUser());

	return 'sys_idIN' + arr;
}

_tempImpersonateRole: function(currentUser){
	var sm;
	var gr = new GlideRecord('sys_user_has_role');
	gr.initialize();
	gr.user = currentUser;
	gr.role = 'bca873d30a000704013944bd9a5e03a4';
	gr.insert();

	sm = GlideSecurityManager.get(); // refresh session to take into account newly added role
	sm.setUser(gs.getUser());

	return gr.getUniqueValue(); // TO-DO: maybe return the whole gr instead so we dont have to look up again?
}

Allen Andreas · ‎06-24-2022

Hi,

Understood. Yeah, as I mentioned, unfortunately, you can't get around it unless they have that role.

If my reply above helped confirm anything and/or guided you Correctly, please mark it as Correct.

Thanks and take care! 🙂

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!