So I got a lot of discussion and positive feedback stemming from my last blog entitled Script Actions, the forgotten action and have decided to share another use case as a quick follow up. Some of our customers have faced audit requirements that require keeping track of administrator impersonations. In other words, they want to keep tabs on the start/stop times of their users with rights to impersonate--a very handy thing to have!
You might be thinking, "Aren't these already kept in the system logs?". And you'd be right. However, these logs can grow large, unwieldy, and sometimes difficult to report against. We can solve the size of the logs by simply using Table Rotations to keep these in check. When using table rotation, you're limiting the amount of time that you hold on to the data and dropping off the oldest table in the rotation thereby remaining nice and efficient (it's commonly determined that the vast majority of information in the logs are no longer important after a certain period of time). Though generally, the time you'd want to setup your rotation for are in conflict with the amount of time the auditors are asking you to retain the data. Hmmmmm….
So lets now turn our attention back to script actions and how you can solve this use case. If you recall from the last post, script actions are a way to trigger script based on an event in the system. Aside from notifications, these are one of the only other common mechanisms for readily accomplishing this. Conceptually, we're going to carve out the impersonation logs from the syslog into a new table that we can keep for a much longer period for auditing.
To begin, we want to create a new table and some fields to capture the impersonation logs. We're also going to create some ACLs that will lock all these down to read access only. Take a look at the screen shot below for an idea of how you might want to set this up. (If you're really lazy, check out the update set that's attached for all the work to be done for you including the ACLs and Script Actions.)
Once this is in place, we'll need to create a couple of basic script actions that write to this table when an impersonation starts, stops, and keeps track of the impersonator and impersonatee.
The first Script Action is a basic one that's fired on "impersonation.start"
// Log admin impersonations into separate table allowing for truncation of syslog
// Add this as a new Script Action. Event name: impersonation.start
var impStart = new GlideRecord('u_impersonation_log');
impStart.initialize();
impStart.u_impersonator_user_id = event.parm1;
impStart.u_impersonator = getUserName(event.parm1);
impStart.u_impersonatee_user_id = event.parm2;
impStart.u_impersonatee = getUserName(event.parm2);
impStart.u_impersonation_start = event.sys_created_on;
impStart.insert();
function getUserName(id) {
var ret = "Unknown";
var usr = new GlideRecord('sys_user');
usr.addQuery('user_name', id);
usr.query();
if (usr.next() ) { ret = usr.name.toString(); }
return ret;
}
Very similarily, the second sends an update once that impersonation ends and should trigger on the "impersonation.end" script action.
// Log admin impersonations into separate table allowing for truncation of syslog
// Add this as a new Script Action. Event name: impersonation.end
var impEnd = new GlideRecord('u_impersonation_log');
impEnd.addQuery('u_impersonator_user_id', event.parm1);
impEnd.addQuery('u_impersonatee_user_id', event.parm2);
impEnd.addNullQuery('u_impersonation_end');
impEnd.orderByDesc('u_impersonation_start');
impEnd.query();
if (impEnd.next()) {
impEnd.u_impersonation_end = event.sys_created_on;
impEnd.update();
}
And there you have it. A basic table, a few fields, some ACLs, and two simple script actions. What did we gain? A clear and easy way to report and log our impersonations and no need to keep the costly syslogs around for only an audit requirement.
While this is a narrow use; hopefully, it allows you to see how to take advantage of the script actions to solve some real life business problems. There's a ton of script actions out there, so get creative and give them a shot!
Again, if you want to play with this one, check out the update set below that contains the table, fields, ACLs, and the script actions referenced above.
Have a great week,
Garrick
2 Comments
