Read Only ACL whilst impersonating

TomC08608207763
Tera Contributor

‎03-03-2025 05:27 AM

I have a requirement to set up a new role "impersonate_read_only". This role would grant the user the ability to impersonate, but they would have read only access whilst impersonating. In my PDI, I have created write and create Deny-Unless ACLs which run on * tables. These check if the user is impersonating, if they are not impersonating, then the ACLs stops processing. If they are impersonating, the script gets the impersonator's user record, checks if they have the "impersonate_read_only" role. If they have the role, it denies Write/Create access. If they don't have the role, the ACL stops processing.

 

This solution satisfies the requirement, however I have concerns around performance. The ACLs run on all tables, and always run the script to check if the user is impersonating. I have checked with ServiceNow directly and they could not give an alternative method as they have not been able to assist anyone with this requirement previously. They only advised not to modify the impersonate macro.

 

So my question is, has anyone built anything to satisfy this requirement that they can share? And if not, any input on the method I have built would be much appreciated.

 

Thanks.

0 Helpfuls
  • 614 Views
3 REPLIES 3

JenniferRah
Mega Sage

‎03-03-2025 05:43 AM

While I understand the security concern that may have prompted someone to request this, it seems to me that the entire value of having the ability to impersonate is to be able to try things as the actual user to make sure that things work as they should. This restriction would make it essentially useless. There is logging that tells when someone starts and stops impersonating, if they need that for accountability.

 

With that said, the way you have done it is probably the simplest solution. I would have the same questions about performance, but it's hard to know the impact until it's implemented.

Sandeep Rajput
Tera Patron
Tera Patron

‎03-03-2025 05:56 AM

@TomC08608207763 ACLs are usually cached per user session and evaluated first time and later cached results are used for the subsequent evaluations. Hence performance should not take a major hit in this case.

 

ServiceNow's HRSD application also have impersonation check in their ACLs where they grant read access based on whether the actual user is logged in or impersonation is done on their user account.

 

For more information please refer to https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/administer/security-center/re...

 

Hope this helps.

Sandeep Rajput
Tera Patron
Tera Patron
In response to Sandeep Rajput

‎03-04-2025 03:13 AM

@TomC08608207763 Thanks for the upvote. Please consider marking the responses accepted solution if they addressed your question.

0 Helpfuls