Hi Team,how to get details someone impersonates another person and changes some details for instance

MonishDD
Tera Contributor

Hi Team,how to get details someone impersonates another person and changes some details for instance? 

3 REPLIES 3

Jan Prochazka
Tera Guru

Hi @MonishDD ,

 

The quick answer:

1) Set the sys property: glide.sys.log_impersonation to true

2) Monitor who is impersonating and when in the system log

3) Combine system log info with an audit log of a record you are intersted in - you know who has been inpersonated at the specific time as a user making an update of data)

 

Some details:

Monitoring activities of impersonated users is not only possible, but also a recommended practice. It is also mentioned in the ServiceNow security best practice guide here: https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/success/playbook/inst... 

 

There are two different types of the impersonation logging, for interactive sessions and for non-interactive sessions.

Interactive sessions are those performed through the user interface (UI) while non-interactive sessions are performed by applications and scripts.

 

To enable all interactive sessions to be recorded in the impersonate logs, you need to set the system property glide.sys.log_impersonation to true (beware, if this system propearty doesn't exist in your instance, you need to create it).

 

To enable all non-interactive sessions to be logged in the  impersonate logs, you need to set the system property glide.sys.log_impersonation.non_interactive to true (teh same as previous, if it doesn't exist, create it).

 

You can find all starts and ends of impersonations in the system log (Source is Impresonate):

 

JanProchazka_0-1682893682103.png

 

I hope this helps , if so, please mark it as helpful.

 

Regards,

Jan

Community Alums
Not applicable

I have created a Flow that will run when the impersonation.starts event is detected and wait until the impersonation.ends event comes in.  I then have a system property record that holds a list of relevant tables that are queried on the sys_audit table during the impersonation window to see if any records have changed.  For each table, a scan_task will be generated denoting who initiated the impersonation, who they impersonated, the sysIDs of the records updated, the new and old values along with the field.  I also added a source URL field and utilized Flow to build a link that takes you to the record(s) that were updated.  

I have another set of Flows that is looking after the CMDB.  A weekly one that runs an action to get the extended tables from cmdb_ci, then looks up those tables to see if they contain data.  Those tables that contain data go onto another system property.  That property is used to monitor the updates during security impersonations CMDB flow.  

@Community Alums this sounds like a great solution! Would you be willing to possibly share the flows via an update set or a high level what each is doing so I can attempt to duplicate?