Prevent impersonating

edbailey · ‎01-11-2017

Hi

We are looking to introduce a new business function to ServiceNow. However they use sensitive data that we do not want to allow to be visible to other servicenow users. We will use roles to prevent this however we want to prevent it becoming visible by use of the impersonator role. Ideally we would not forgo this useful functionality altogether so I believe we could edit the Ui Page to limit users with certain roles being impersonated - but I've been advised that modifying an Out of the Box Ui Page has some disadvantages so I'd like to know if an easier solution would be create a similar condition to that employed by the Sec Ops and HR applications when we create our new application or module for the new business function?

quoting a little from 'Impersonate a user

IT System Administrators [admin] can impersonate ServiceNow users. However, when impersonating a user with an application admin role for Human Resources or Security Incident Response, an admin is not able to access features granted by that role, including security incidents and profile information. Access to modules and applications in the navigation bar is also restricted. Also, admin cannot change the password of any user with an application admin role for Human Resources or Security Incident Response.

This seems like it might be a more rounded solution for us but I'd like confirmation that it is possible to be implemented outside the specific HR and Sec Ops applications before building this solution in to a high level design

kedarnathghadiy · ‎01-18-2017

There is a script include "ImpersonateEvaluator", there exist method "canImpersonate". Change this method as per the requirement, you will be able to control the Impersonation behavior.

View solution in original post

ayush_saxena · ‎05-10-2017

Thanks Kedar,

I tried it yesterday but I am getting same values for both gs.log('Impersonated user is ' + impersonatedUser.getID()); and gs.log('current user is ' + currentUser.getID() );

I also need to get details of the logged in user as requirement is if current user has role admin , he should be able to impersonate anyone and later impersonate back to admin but if an user with impersonator role tries to impersonate any VIP user he should not be able to do so.

Thanks,

Ayush

ayush_saxena · ‎05-10-2017

Kedar,

I managed to complete above requirement but still have a query why we are getting same values for both gs.log('Impersonated user is ' + impersonatedUser.getID()); and gs.log('current user is ' + currentUser.getID() );

Thanks,

Ayush

kedarnathghadiy · ‎01-18-2017

There is a script include "ImpersonateEvaluator", there exist method "canImpersonate". Change this method as per the requirement, you will be able to control the Impersonation behavior.

cynlink1 · ‎01-10-2020

Do you happen to have a sample script to share that shows how to restrict the impersonation of a user with a specific role?

Brian S5 · ‎01-25-2022

I have a script that I use to disable HR Impersonating. It has been shared below.

var ImpersonateEvaluator = Class.create();
ImpersonateEvaluator.prototype = {
	initialize: function() {
	},
	BLOCKED_ROLES: [
		'hr_admin' //the EXACT names of the roles to block
	],
	canImpersonate: function(currentUser, impersonatedUser) {
		var i,
			currentUserRoles = currentUser.getRoles(),
			impersonatedUserRoles = impersonatedUser.getRoles();
		//Iterate over array of roles that cannot be impersonated.
		for (i = 0; i < this.BLOCKED_ROLES.length; i++) {
			if (currentUserRoles.indexOf(this.BLOCKED_ROLES[i]) < 0 && impersonatedUserRoles.indexOf(this.BLOCKED_ROLES[i]) >= 0) {
				gs.warn('Unable to impersonate user ' + impersonatedUser.getID() +
					', as the role ' + this.BLOCKED_ROLES[i] + ' was not possessed by the impersonator: ' +
					currentUser.getID());
				return false;
			}
		}
		//Otherwise, return true
		return true;
	},
	type: 'ImpersonateEvaluator'
};