Prevent impersonating

edbailey
Giga Contributor

Hi

We are looking to introduce a new business function to ServiceNow. However they use sensitive data that we do not want to allow to be visible to other servicenow users. We will use roles to prevent this however we want to prevent it becoming visible by use of the impersonator role. Ideally we would not forgo this useful functionality altogether so I believe we could edit the Ui Page to limit users with certain roles being impersonated - but I've been advised that modifying an Out of the Box Ui Page has some disadvantages so I'd like to know if an easier solution would be create a similar condition to that employed by the Sec Ops and HR applications when we create our new application or module for the new business function?

quoting a little from 'Impersonate a user

IT System Administrators [admin] can impersonate ServiceNow users. However, when impersonating a user with an application admin role for Human Resources or Security Incident Response, an admin is not able to access features granted by that role, including security incidents and profile information. Access to modules and applications in the navigation bar is also restricted. Also, admin cannot change the password of any user with an application admin role for Human Resources or Security Incident Response.

This seems like it might be a more rounded solution for us but I'd like confirmation that it is possible to be implemented outside the specific HR and Sec Ops applications before building this solution in to a high level design

1 ACCEPTED SOLUTION

kedarnathghadiy
ServiceNow Employee
ServiceNow Employee

There is a script include "ImpersonateEvaluator", there exist method "canImpersonate". Change this method as per the requirement, you will be able to control the Impersonation behavior.


View solution in original post

15 REPLIES 15

Hi Ed,



This is possible in Service-now.I want to understand the requirement.



Some Users has special role "XYZ" and admins should not be able to impersonate them, only admin+"XYZ" role should be impersonate those special role users.



is this correct?



BTW, which version you are using?


We are currently on Helsinki



You have it almost right - at this point we are looking at preventing anyone with role xyz from impersonating someone with the role - so that includes admin



Although I think that if we could not limit admins from being able to impersonate users with this role then its likely i would still get approval - I've not had that discussion yet though.


Hi Ed,



Use "ImpersonateEvaluator" script include & change canImpersonate method to achive the same.



You can see ImpersonateEvaluator in your script include table.



Hope this helps.



Regards,


Kedar


Hi Kedar,



I was wondering what values are being passed to currentUser and impersonatedUser   and how ?



canImpersonate: function(currentUser, impersonatedUser) {


  return true;


Hi Ayush,



Those are GlideUser Objects, you can get Sys_ids of users by "impersonatedUser.getID()"



Regards,


Kedar