Can I make a scripted REST API using GlideImpersonate?

David Miller3 · ‎08-19-2022

Want to use Impersonation API (GlideImpersonate) via REST call
- Are specific roles required?
- Best practices?

(Requested on behalf of an anonymous customer, sorry if this is vague on details.)

-O- · ‎08-19-2022

You mean to use the Impersonation API in the script of a Scripted REST API?

David Miller3 · ‎08-22-2022

Thanks for the response. Yes, I'm assuming this is the case.

I posted this on behalf of an anonymous customer, so if more context is required, I'll have to cancel this request. Apologies for the vagueness details.

-O- · ‎08-23-2022

You're most welcome.

I assume it would be possible, if the login used to connect to ServiceNow would have sufficient rights (roles). However even if possible it would be bad from the p.o.v. of security and auditing. The correct thing to do would be to connect directly using the login that one wants to impersonate.

Me, even if possible would not "give in" to this request. Just way too exploitable. Even SN says:

Impersonation allows users with the admin or the impersonator role to temporarily become another aut... (emphasis mine)

You need either admin or impersonator roles and that's just way too much for an integration user to have. I mean - especially in Production instances - one should have as few admin users as possible. And no impersonator roles - if you ask me. Unless nobody cares about security and accountability at all.