Australia Release brings better Transparency for User Impersonations

Martin Rudack
Giga Sage
2 weeks ago

title.jpg

 

Disclaimer – This article is part of a series exploring the new features and capabilities introduced in the Australia release. Since we’re still in the Early Availability (EA) phase, things may change before General Availability (GA). 

 

 

The Australia Release introduces much-needed transparency for user impersonations, particularly within your audit records.

Previously, tracking down impersonations and changes done while being impersonated took some investigative work. Now, ServiceNow provides a dedicated table for impersonation events and allows you to track impersonator actions directly in your audit logs. Let's look at how these two new features work.

 

 

Log impersonation history

This feature gives you a new table storing all impersonation events. It shows exactly who impersonated whom, alongside the start and end times. You no longer need to build custom reporting to capture this data.

Navigate to “All > System Logs >  User Impersonation” or directly use the User Impersonation History [sys_user_impersonation_history] table.

 

This feature is controlled by the System Property identity.impersonation.history.enabled and is enabled by default.

 

list.png

 

The new table also logs the session ID. When you open a specific Impersonation History record, you can view the related transaction logs right there. This means you don't just see who initiated an impersonation, you can see exactly what they did during that session.

 

imp history.png

 

 

Impersonation tracking in audit logs

This brings us to the second feature, which provides even deeper visibility into the actions taken while impersonating a user.

Historically, looking at a sys_audit record didn't immediately tell you if a change was made by the actual user or by some user impersonating them. You had to cross-reference transaction logs and events to find out. The Australia release solves this by directly storing this information in the audit record.

 

Let’s look at an example:

Imagine the System Administrator impersonates Able Tuter and changes the Business Criticality of the SAP Payroll Service from "1 – most critical" to "4 – not critical".

Without impersonation tracking in audit logs, the sys_audit record for this change looks like this:

 

audit1.png

 

Notice that Able Tuter is listed in both the User and Created by fields.

 

To change this behavior, we need to enable impersonation tracking in audit logs. This is not enabled by default, so you must first create a system property called glide.audit.track_impersonation and set it to true.

 

Once this feature is enabled, let's say the System Administrator impersonates Able Tuter again to change the Business Criticality back. The new sys_audit record now looks like this:

 

audit2.png

 

The Created by field still lists Able Tuter, but the User field now contains a Sys ID. This references a Sys Audit Identity [sys_audit_identity] record, which shows that the change was actually made by the System Administrator.

 

audit identity.png

 

 

If you manage a ServiceNow instance and want a clearer, more transparent audit trail, enabling this feature should be on your to-do list once you upgrade to the Australia release.

  • 842 Views
7 Comments
gourav786gs
Tera Contributor
2 weeks ago
2 weeks ago

Unable to see the "glide.audit.track_impersonation" system property in my Australia PDI!

 

0 Helpfuls
gourav786gs
Tera Contributor
2 weeks ago
2 weeks ago

Ohh my bad, yeah need to create new system property.

0 Helpfuls
Mark Manders
Giga Patron
a week ago
a week ago

Thanks for discovering the new features! It always helps others to easier find 'what's new'.

It's great that the impersonations are now easier accessible. However, looking at the number of people posting about this, it's like it's something that's completely new. The Security Center Monitoring has been showing this for a while now. It's one of the metrics that is tracked. If this impersonation update is a huge eye opener for you, I'd suggest to take a look on what is available in the Security Center, because it has a lot of these "I wish I knew what/how/where..." stuff in there. 

Martin Rudack
Giga Sage
a week ago
a week ago

Hi @Mark Manders 

I am aware that there is a metric in the Security Center that shows the impersonations. But as far as I know there are only the impersonation events. You don’t directly see who impersonated whom and the timespan for the impersonation. Another advantage here is that the transaction logs for the session are directly visible. This is something where I have seen custom solution before and I don’t see this ootb in the Security Center. If that is already there in this detail, then I happy to learn from you.

 

Also, this is only the first half of the blog post. The second half is about the capability to configure the system to see changes which were made by a person impersonating another user in the audit log. You where not able to see this before.

 

Everything together provides more transparency around impersonation with the Australia Release. Therefore, in my opinion, it is totally valid to highlight both.

Mark Manders
Giga Patron
a week ago
a week ago

@Martin Rudack Within the KPI details you can drill down and see all of this as well. As I already mentioned: it's great that it's easier accessible, because it seems almost nobody knows about this (as you proved with not knowing that you can drill down). It's extended and enhanced, but for some reason I have seen this brought as a new Australia feature in lots of posts online. My point was that apparently people have been looking for this, while it was already (partially) there. If those people check out the Security Center features, they will be surprised what is already logged OOB for which they are (probably) using custom solution at the moment.

 

Yes, the enhancements are new, but parts were already available before.

0 Helpfuls
Anton42
Tera Expert
Tuesday
Tuesday

Hello @Mark Manders : I checked Security Center and was not able to find the level of detail the new feature announcement is describing. Where do I find this drilldown in Sec.Center you are talking about exactly?

 

0 Helpfuls
Martin Rudack
Giga Sage
Tuesday
Tuesday

I am also still missing this.

The drill down to the sn_vsc_impersonation_event record only gives you the information you also see in the system event that occures when a user impersonates another user. 

I don't find any information about the session or the length of the impersionation there...

0 Helpfuls