how to get a audit trail for all actions when impersonate user

Wim2
Kilo Expert

Hi,

I am looking for a way to get an Audit trail/report of all actions in two cases

  1. Actions done by a user when impersonating another user
  2. when users, role, groups or ACL's are created, changed or deleted.

case 1)

  • Start impersonating
  • Who is impersonatin who
  • All performed actions, inclusif the performed changes (old/new value)
  • end impersonating

case 2)

  • user performing the action
  • On users, groups and ACL's what action is performed
  • Old / new value

Is there a OOTB solution?

Is there a plugin I need to activate?

 

Thanks,

Wim 

9 REPLIES 9

Hi Ashutosh

Yes, I did find entries in the syslog and the eventlog of the impersonated user, but if I open the record it does say:

"incident.do?sys_id=509a06ab2fa8d4109e1e2d6df699b633&sysparm_stack=incident_list.do?sysparm_query=active=true"

In this case, there is a posibillity that Abel was also logged in and has performed some actions during the time he was inpersonated.

 

I am looking to prove that an action is performed by someone who has impersonated a user. The message would look like:

"Time: october 10 2020 - 08:30:00 - incident updated. Old prio: 3. New prio: 2. Performed by Abel Tuter, impersonated by Administrator.

 

This will give me the posebillety to track all activities performed by a user who is impersonating another user.

 

Greets

Wim

 

 

@Wim2  - Although this is 3+ years old, I'm hoping you're still monitoring this thread. Were you able to build the report you need? We need something similar and not finding much to go on. Thanks.


Susan Williams, Lexmark

Kopal Garg
Tera Expert

Hello Mamta,

 

You can find all such logs in - System Logs. 

Also if there is any specific custom requirement, you might find the below URL useful.

https://community.servicenow.com/community?id=community_blog&sys_id=adcc2265dbd0dbc01dcaf3231f961

Regards,

Kopal

 

The url results in an error message

The content you requested cannot be displayed right now. It may be temporarily unavailable, the link you clicked on may have expired, or you may not have permission to view this page.

Hi Wim,

Do you want it via API or something else. You can check system logs and event logs manually for this as well.


Thanks,
Ashutosh