Stop admin impersonating

Brian S5 · ‎02-19-2018

Good Morning All,

It was requested by my HR department to remove the ability to impersonate HR users. We are using a basic implementation of the un-scoped HR app. I have read through some posts here that i have attempted (Before query BR on the HR table) but need a quick solution to satisfy their requirement. If anyone has any idea's on the best way to implement, id love to hear them. Thank you.

Tim Woodruff · ‎02-19-2018

Hey, sorry about that, I used the wrong method - I've updated my script above.

To answer your question, you would use the names.

New script:

var ImpersonateEvaluator = Class.create();
ImpersonateEvaluator.prototype = {
	initialize: function() {
	},
	BLOCKED_ROLES: [
		'hr_admin' //the EXACT names of the roles to block
	],
	canImpersonate: function(currentUser, impersonatedUser) {
		var i,
			currentUserRoles = currentUser.getRoles(),
			impersonatedUserRoles = impersonatedUser.getRoles();
		//Iterate over array of roles that cannot be impersonated.
		for (i = 0; i < this.BLOCKED_ROLES.length; i++) {
			if (currentUserRoles.indexOf(this.BLOCKED_ROLES[i]) < 0 && impersonatedUserRoles.indexOf(this.BLOCKED_ROLES[i]) >= 0) {
				gs.warn('Unable to impersonate user ' + impersonatedUser.getID() +
					', as the role ' + this.BLOCKED_ROLES[i] + ' was not possessed by the impersonator: ' +
					currentUser.getID());
				return false;
			}
		}
		//Otherwise, return true
		return true;
	},
	type: 'ImpersonateEvaluator'
};

View solution in original post

Tim Woodruff · ‎02-19-2018

Sure!

You can accomplish this using the "ImpersonateEvaluator" Script Include's "canImpersonate" method.

I should warn that it is virtually impossible to truly and fully prevent a dedicated administrator from doing virtually anything, so a certain level of trust is required from the business. However, putting protection mechanisms like this in place is usually sufficient.

Here's the Script Include in its default state:

var ImpersonateEvaluator = Class.create();
ImpersonateEvaluator.prototype = {
	initialize: function() {},
    type: 'ImpersonateEvaluator',
	canImpersonate: function(currentUser, impersonatedUser) {
		return true;
	}
};

If we make the following updates, we can block impersonation of any role in the BLOCKED_ROLES constant property (which I've defined below) unless the impersonating user already has that role:

var ImpersonateEvaluator = Class.create();
ImpersonateEvaluator.prototype = {
	initialize: function() {
	},
	BLOCKED_ROLES: [
		'hr_admin' //the EXACT names of the roles to block
	],
	canImpersonate: function(currentUser, impersonatedUser) {
		var i,
			currentUserRoles = currentUser.getRoles(),
			impersonatedUserRoles = impersonatedUser.getRoles();
		//Iterate over array of roles that cannot be impersonated.
		for (i = 0; i < this.BLOCKED_ROLES.length; i++) {
			if (currentUserRoles.indexOf(this.BLOCKED_ROLES[i]) < 0 && impersonatedUserRoles.indexOf(this.BLOCKED_ROLES[i]) >= 0) {
				gs.warn('Unable to impersonate user ' + impersonatedUser.getID() +
					', as the role ' + this.BLOCKED_ROLES[i] + ' was not possessed by the impersonator: ' +
					currentUser.getID());
				return false;
			}
		}
		//Otherwise, return true
		return true;
	},
	type: 'ImpersonateEvaluator'
};

If this is helpful, please feel free to mark it as such. If not, please let me know if you have any questions or if I've misunderstood the requirement.

Brian S5 · ‎02-19-2018

Looks like a sufficient method, thank you for your quick response.

Quick question:

For the blocked roles portion: Do i add the name of the role or the sys_id ? Ive tried both, however i can still impersonate an HR member with the HR_Admin role.

Ive tried this way.

and this way

Tim Woodruff · ‎02-19-2018

Hey, sorry about that, I used the wrong method - I've updated my script above.

To answer your question, you would use the names.

New script:

var ImpersonateEvaluator = Class.create();
ImpersonateEvaluator.prototype = {
	initialize: function() {
	},
	BLOCKED_ROLES: [
		'hr_admin' //the EXACT names of the roles to block
	],
	canImpersonate: function(currentUser, impersonatedUser) {
		var i,
			currentUserRoles = currentUser.getRoles(),
			impersonatedUserRoles = impersonatedUser.getRoles();
		//Iterate over array of roles that cannot be impersonated.
		for (i = 0; i < this.BLOCKED_ROLES.length; i++) {
			if (currentUserRoles.indexOf(this.BLOCKED_ROLES[i]) < 0 && impersonatedUserRoles.indexOf(this.BLOCKED_ROLES[i]) >= 0) {
				gs.warn('Unable to impersonate user ' + impersonatedUser.getID() +
					', as the role ' + this.BLOCKED_ROLES[i] + ' was not possessed by the impersonator: ' +
					currentUser.getID());
				return false;
			}
		}
		//Otherwise, return true
		return true;
	},
	type: 'ImpersonateEvaluator'
};

sunil4050 · ‎09-06-2018

Hello Tim,

I am using your code in Kingston release but still able to impersonate other admin users. In our instance some admins are impersonating other admins and modifying update sets. We need to block this. Could you please help us with this.