- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-11-2017 02:16 AM
Hi
We are looking to introduce a new business function to ServiceNow. However they use sensitive data that we do not want to allow to be visible to other servicenow users. We will use roles to prevent this however we want to prevent it becoming visible by use of the impersonator role. Ideally we would not forgo this useful functionality altogether so I believe we could edit the Ui Page to limit users with certain roles being impersonated - but I've been advised that modifying an Out of the Box Ui Page has some disadvantages so I'd like to know if an easier solution would be create a similar condition to that employed by the Sec Ops and HR applications when we create our new application or module for the new business function?
quoting a little from 'Impersonate a user
IT System Administrators [admin] can impersonate ServiceNow users. However, when impersonating a user with an application admin role for Human Resources or Security Incident Response, an admin is not able to access features granted by that role, including security incidents and profile information. Access to modules and applications in the navigation bar is also restricted. Also, admin cannot change the password of any user with an application admin role for Human Resources or Security Incident Response.
This seems like it might be a more rounded solution for us but I'd like confirmation that it is possible to be implemented outside the specific HR and Sec Ops applications before building this solution in to a high level design
Solved! Go to Solution.
- Labels:
-
Finance Service Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-18-2017 03:29 AM
There is a script include "ImpersonateEvaluator", there exist method "canImpersonate". Change this method as per the requirement, you will be able to control the Impersonation behavior.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-11-2017 04:44 AM
Hi Ed,
A simple option will be to create a Before Query business rule over a table you would like to hide from impersonators
Condition: gs.getImpersonatingUserName() !== null
Script:
if (!gs.hasRole('admin')) {
current.addQuery('sys_id', '-1');
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-18-2017 02:16 AM
I had someone try this for me but unfortunately it did not work as the user with impersonator role still absorbed all the options from user being impersonated. It appears that the imp role is elevated in some when to enable this
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-18-2017 02:38 AM
Ed,
Who are the "other users" that would like to prevent Data from ? Which role they will get ? I mean if you do not grant them admin role or security_admin role, they wont be able to impersonate anyone.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-18-2017 02:43 AM
Hi
You can provide the impersonator role individually without giving admin and we have quite a few users who have the role already and dont really want to give it up (although forcing that may be one option)