Stop admin impersonation

Kirtiman
Tera Contributor

‎05-07-2020 12:56 AM

How can i stop admins to restrict impersonation of other admins.Tried multuple codes but its not working flawlessly.

 

Tried modifying "ImpersonateEvaluator" out f box script include but it didn't work. I have used the accepted solutions from cmmunity as well.But this seems to not working in my PDI as well.

 

Below is the code.

 

Any help will be appreciated.

 

var ImpersonateEvaluator = Class.create();
ImpersonateEvaluator.prototype = {
initialize: function() {
},
BLOCKED_ROLES: [
'admin' //the EXACT names of the roles to block
],
canImpersonate: function(currentUser, impersonatedUser) {
var i,
currentUserRoles = currentUser.getRoles(),
impersonatedUserRoles = impersonatedUser.getRoles();
//Iterate over array of roles that cannot be impersonated.
for (i = 0; i < this.BLOCKED_ROLES.length; i++) {
if (currentUserRoles.indexOf(this.BLOCKED_ROLES[i]) < 0 && impersonatedUserRoles.indexOf(this.BLOCKED_ROLES[i]) >= 0) {
gs.warn('Unable to impersonate user ' + impersonatedUser.getID() +
', as the role ' + this.BLOCKED_ROLES[i] + ' was not possessed by the impersonator: ' +
currentUser.getID());
return false;
}
}
//Otherwise, return true
return true;
},
type: 'ImpersonateEvaluator'
};

 

0 Helpfuls
  • 1,779 Views
8 REPLIES 8

Anurag Tripathi
Mega Patron
Mega Patron

‎05-07-2020 01:07 AM

The OOB version itself doesn't let you impersonate admins(if you are not admin yourself).

Long back i made some changes in that logic and it was done in this ui macro - impersonate_dialog

find_real_file.png

 

TThe above screenshot is OOB version.

--Anurag

-Anurag
Preview file
95 KB
0 Helpfuls

Kirtiman
Tera Contributor
In response to Anurag Tripathi

‎05-07-2020 01:55 AM

Anurag,

 

Thanks for your reply.I know that an lower grade role cannot impersonate admin.However my exact question was I don't want admins to impersonate other admins not lower grade users.

 

How can I achieve the same?

0 Helpfuls

Anurag Tripathi
Mega Patron
Mega Patron
In response to Kirtiman

‎05-07-2020 01:59 AM

It is the same ui macro you need to change, i guess removing line 33, 34, 35 and 37 might work, but you will have to play around.

-Anurag
0 Helpfuls

Alok Das
Tera Guru

‎05-07-2020 02:21 AM

Hi Kirtiman,

You need to modify the OOB script include "ImpersonateEvaluator". Please use the below script.

var ImpersonateEvaluator = Class.create();
ImpersonateEvaluator.prototype = {
    initialize: function() {},
    type: 'ImpersonateEvaluator',
    canImpersonate: function(currentUser, impersonatedUser) {
        if (impersonatedUser.hasRole('admin'))
            return false;
        else
            return true;
    }
};

Above script will not allow anyone to impersonate admin users.

If you want to have this restriction only while the current user is admin impersonating other admin then you need to add extra condition in if condition and your script is below:

var ImpersonateEvaluator = Class.create();
ImpersonateEvaluator.prototype = {
	initialize: function() {},
		type: 'ImpersonateEvaluator',
		canImpersonate: function(currentUser, impersonatedUser) {
			if (currentUser.hasRole('admin')&&impersonatedUser.hasRole('admin'))
				return false;
			else
				return true;
		}
	};

You could refer to the below thread:

https://community.servicenow.com/community?id=community_question&sys_id=af46cfa1db1cdbc01dcaf3231f96...

Kindly mark my answer as Correct and Helpful based on the Impact.

Regards,

Alok

0 Helpfuls