BLOG - Configuring User Impersonation and End-Impersonation Notifications

TausifAhmedS
Tera Contributor

yesterday

Maintaining visibility into user impersonation and end-impersonation activities is critical for strong security governance in ServiceNow. Sharing these details with higher authorities ensures proper oversight, enables effective auditing, and provides clear traceability of who performed actions and when.

 

ServiceNow offers an out-of-the-box Security Event notification through the “Send notification on impersonation” policy, allowing administrators to define trigger conditions, recipients, and notification behavior whenever impersonation is initiated.

 

Behind the scenes, this functionality is supported by Security Policy and Event–related tables that record and manage impersonation activities in a structured and auditable manner, making it easier to monitor, troubleshoot, and extend the existing setup.

 

The key tables involved are:

  • Security Policy Notifications(sn_vsc_security_policy_notification)
    Stores the notification definitions associated with security events, including impersonation.

  • Security Policy Conditions(sn_vsc_security_policy_condition)
    Defines the trigger conditions under which a security policy notification should be executed.

  • Security Policies(sn_vsc_security_policy)
    Contains all configured security policies that govern different security-related events.

  • Security Policy Execution Histories(sn_vsc_security_policy_execution_history)
    Maintains a record of when and how each security policy was executed, providing valuable audit data.

  • Security Policy Actions(sn_vsc_security_policy_action)
    Specifies the actions to be performed when a policy condition is met, such as sending a notification.

 

You can configure the out-of-the-box impersonation notification by following these steps:

  • Navigate to All > System Security > System Monitoring Console > Security Event Notifications.

  • Click on  "Send notification on impersonation".

Security event notification copy.png

 

  • Go to the Policy Settings tab.

Security Event Notification 2.png

  • In the Conditions section, configure when the notification should be triggered:

    • Any User – triggers the notification for impersonation of all users,
      or

    • Specific User(s) – triggers only when selected users are impersonated.

    • Any Role – triggers the notification regardless of the impersonated user’s role,
      or

    • Specific Role(s) – triggers only when the impersonated user has specific roles.

Security N 3.png

  • Configure the Notification section by specifying:

    • The notification to be sent

    • The intended recipients (specific users or groups)

Security Notification 4.png

OOTB User Impersonation.png

 OOTB Notification

 

While this out-of-the-box setup effectively notifies user(s) and group(s) when impersonation starts, it does not provide a corresponding notification when impersonation ends.

 

Creating Custom Notifications Using Impersonation Events

Once the out-of-the-box impersonation notification is configured, the next step is to address the missing visibility around the end of impersonation. ServiceNow already provides default system events that can be leveraged for this purpose, which eliminates the need to create custom triggers or business rules.

 

ServiceNow fires the following events automatically as part of the impersonation lifecycle:

  • impersonation.start – triggered when a user begins impersonating another user

  • impersonation.end – triggered when the impersonation session is ended

These events are available by default and contain useful context about both the impersonating user and the impersonated user. For more details you can find the things in Event Table (sysevent).

Imersonation events.png

 

Using the above events, custom notifications can be configured to trigger whenever impersonation starts or ends. This ensures complete visibility into the impersonation lifecycle, covering both entry and exit points.

Each event passes user_name as parameters that identify:

  • The user performing the impersonation

  • The user being impersonated

However, these parameters are passed as user identifiers (such as user_name or email) rather than readable display names. To present meaningful information in the notification email, an Email Script is required.

 

The email script retrieves the event parameters and resolves them to user-friendly names using the sys_user table. This allows the notification to clearly display who initiated the impersonation and which user account was impersonated.

At a high level, the script performs the following steps:

  • Validates that the event and required parameters are available.

  • Extracts the impersonator and impersonated user identifiers from the event.

  • Queries the sys_user table to fetch the corresponding display names.

  • Determines whether the event represents impersonation start or end.

  • Dynamically builds the email content with clear and readable details.

Below is the email script used to populate the notification content:

if (!event || !event.parm1 || !event.parm2) {
    template.print("Impersonation details are unavailable.");
    return;
}

var impersonatorKey = event.parm1; // user_name
var impersonatedKey = event.parm2; // user_name

var impersonatorName = '';
var impersonatedName = '';

// Get Impersonator
var impGR = new GlideRecord('sys_user');
impGR.addQuery('user_name', impersonatorKey);
impGR.query();
if (impGR.next()) {
    impersonatorName = impGR.getValue('name');
}

// Get Impersonated User
var targetGR = new GlideRecord('sys_user');
targetGR.addQuery('user_name', impersonatedKey);
targetGR.query();
if (targetGR.next()) {
    impersonatedName = targetGR.getValue('name');
}

var isStart = event.name == 'impersonation.start';
var actionLabel = isStart ? 'Logged in at' : 'Logged out at';

// Impersonation user details
template.print("<p><b>User performing the impersonation:</b><br/>");
template.print("<b>Name - </b>" + impersonatorName + "<br/>");
template.print("<b>User ID - </b>" + impersonatorKey + "</p>");

// Impersonated user details
template.print("<p><b>Impersonated user:</b><br/>");
template.print("<b>Name - </b>" + impersonatedName + "<br/>");
template.print("<b>User ID - </b>" + impersonatedKey + "</p>");

template.print("<p><b>" + actionLabel + ":</b> " + gs.nowDateTime() + "</p>");

 

With this approach:

  • Notifications are triggered for both impersonation start and end.

User Impersonation Notification.png

User Impersonation Notification

 

User End Impersonation Notification.png

User End Impersonation Notification

 

 

  • Emails display clear, human-readable user details.

User Impersonation.png

User Impersonation

 

User End Impersonation.png

User End Impersonation

 

  • Security and compliance teams gain full visibility into impersonation activity.
  • The complete impersonation lifecycle becomes auditable and traceable.

This custom notification effectively complements the out-of-the-box setup and closes the visibility gap around impersonation end events.

0 Helpfuls
  • 14 Views
0 REPLIES 0