Prevent impersonating

edbailey · ‎01-11-2017

Hi

We are looking to introduce a new business function to ServiceNow. However they use sensitive data that we do not want to allow to be visible to other servicenow users. We will use roles to prevent this however we want to prevent it becoming visible by use of the impersonator role. Ideally we would not forgo this useful functionality altogether so I believe we could edit the Ui Page to limit users with certain roles being impersonated - but I've been advised that modifying an Out of the Box Ui Page has some disadvantages so I'd like to know if an easier solution would be create a similar condition to that employed by the Sec Ops and HR applications when we create our new application or module for the new business function?

quoting a little from 'Impersonate a user

IT System Administrators [admin] can impersonate ServiceNow users. However, when impersonating a user with an application admin role for Human Resources or Security Incident Response, an admin is not able to access features granted by that role, including security incidents and profile information. Access to modules and applications in the navigation bar is also restricted. Also, admin cannot change the password of any user with an application admin role for Human Resources or Security Incident Response.

This seems like it might be a more rounded solution for us but I'd like confirmation that it is possible to be implemented outside the specific HR and Sec Ops applications before building this solution in to a high level design

kedarnathghadiy · ‎01-18-2017

There is a script include "ImpersonateEvaluator", there exist method "canImpersonate". Change this method as per the requirement, you will be able to control the Impersonation behavior.

View solution in original post

kedarnathghadiy · ‎01-18-2017

Hi Ed,

This is possible in Service-now.I want to understand the requirement.

Some Users has special role "XYZ" and admins should not be able to impersonate them, only admin+"XYZ" role should be impersonate those special role users.

is this correct?

BTW, which version you are using?

edbailey · ‎01-18-2017

We are currently on Helsinki

You have it almost right - at this point we are looking at preventing anyone with role xyz from impersonating someone with the role - so that includes admin

Although I think that if we could not limit admins from being able to impersonate users with this role then its likely i would still get approval - I've not had that discussion yet though.

kedarnathghadiy · ‎01-18-2017

Hi Ed,

Use "ImpersonateEvaluator" script include & change canImpersonate method to achive the same.

You can see ImpersonateEvaluator in your script include table.

Hope this helps.

Regards,

Kedar

ayush_saxena · ‎05-09-2017

Hi Kedar,

I was wondering what values are being passed to currentUser and impersonatedUser and how ?

canImpersonate: function(currentUser, impersonatedUser) {

return true;

kedarnathghadiy · ‎05-09-2017

Hi Ayush,

Those are GlideUser Objects, you can get Sys_ids of users by "impersonatedUser.getID()"

Regards,

Kedar