how to get a audit trail for all actions when impersonate user

Wim2
Kilo Expert

‎10-08-2020 04:29 AM

Hi,

I am looking for a way to get an Audit trail/report of all actions in two cases

  1. Actions done by a user when impersonating another user
  2. when users, role, groups or ACL's are created, changed or deleted.

case 1)

  • Start impersonating
  • Who is impersonatin who
  • All performed actions, inclusif the performed changes (old/new value)
  • end impersonating

case 2)

  • user performing the action
  • On users, groups and ACL's what action is performed
  • Old / new value

Is there a OOTB solution?

Is there a plugin I need to activate?

 

Thanks,

Wim 

0 Helpfuls
  • 1,837 Views
9 REPLIES 9

Wim2
Kilo Expert
In response to Ashutosh Munot1

‎10-12-2020 01:32 AM

Hi Ashutosh

Yes, I did find entries in the syslog and the eventlog of the impersonated user, but if I open the record it does say:

"incident.do?sys_id=509a06ab2fa8d4109e1e2d6df699b633&sysparm_stack=incident_list.do?sysparm_query=active=true"

In this case, there is a posibillity that Abel was also logged in and has performed some actions during the time he was inpersonated.

 

I am looking to prove that an action is performed by someone who has impersonated a user. The message would look like:

"Time: october 10 2020 - 08:30:00 - incident updated. Old prio: 3. New prio: 2. Performed by Abel Tuter, impersonated by Administrator.

 

This will give me the posebillety to track all activities performed by a user who is impersonating another user.

 

Greets

Wim

 

 

0 Helpfuls

SusanWinKY
Kilo Sage
In response to Wim2

‎01-18-2024 03:08 PM - edited ‎01-18-2024 03:08 PM

@Wim2  - Although this is 3+ years old, I'm hoping you're still monitoring this thread. Were you able to build the report you need? We need something similar and not finding much to go on. Thanks.


Susan Williams, Lexmark
0 Helpfuls

Kopal Garg
Tera Expert

‎10-08-2020 05:19 AM

Hello Mamta,

 

You can find all such logs in - System Logs. 

Also if there is any specific custom requirement, you might find the below URL useful.

https://community.servicenow.com/community?id=community_blog&sys_id=adcc2265dbd0dbc01dcaf3231f961

Regards,

Kopal

 

0 Helpfuls

Wim2
Kilo Expert
In response to Kopal Garg

‎10-08-2020 05:28 AM

The url results in an error message

The content you requested cannot be displayed right now. It may be temporarily unavailable, the link you clicked on may have expired, or you may not have permission to view this page.

0 Helpfuls

Ashutosh Munot1
Kilo Patron
Kilo Patron
In response to Wim2

‎10-08-2020 06:04 AM

Hi Wim,

Do you want it via API or something else. You can check system logs and event logs manually for this as well.


Thanks,
Ashutosh

0 Helpfuls