- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-04-2017 12:49 PM
It's my understading that this used to work: gs.getSession().impersonate("usernameORsysid")
I have an error message in a widget, is not working anymore.
I googled it, I took a look at the documentation ... nothing.
How do I impersonate a user in script in Istambul?
Thank you,
Nick.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-05-2017 07:47 AM
Hello Nicolae,
Actually, this is a use case where I wouldn't recommend the impersonate(), especially not to impersonate an admin, because that might be exploitable.
Instead, there's a read ACL on the 'incident' table you can use as a model, which uses this script:
current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || current.watch_list.indexOf(gs.getUserID()) > -1;
This is what allows users to see their own incidents but not any other incidents (unless, of course, they have the 'itil' role, which is handled in a different ACL.
Just adjust it to whatever field you're using on this table to identify their own HR time off request.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-04-2017 01:17 PM
Hello Nick,
Are you working inside a scoped app?
We ran into an issue where .impersonate() works outside of scoped apps, but isn't allowed in scoped apps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-05-2017 06:07 AM
Hi Guy,
Yes, it's a Service Portal (I would like all my applications to be Service Portal widgets) scoped apps.
Looks like you cannot impersonate in widgets.
Thank you,
Nick.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-04-2017 01:25 PM
Is impersonation in code a good idea?
I have this nagging feeling it's violating security best practises and could create a confused deputy situation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-04-2017 01:28 PM
It depends on the use case.
What we were using it for is when we query in GlideRecord via web service query, we want to enforce the queries on behalf of the logged in user, not on behalf of the service account that the web service is using. In our case, .impersonate() allows us to implement better security because it ensures that the user doesn't access via web services something that they couldn't access through the UI.
It's definitely something to be cautious and aware of.
