Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

End impersonation for users with low roles

Go to solution
Evren Yamin
Tera Contributor

‎10-05-2022 05:15 PM

Hello,

 

I was building a script on the existing script include "ImpersonateEvaluator" and I was able to to check that if a user that I'm trying to impersonate has a change_manager role, then the current user should have both itil and change_manager role. If the current user only has the itil then the current user will not be able to impersonate a user with a change_manager role.

 

My issue now is the end impersonation. Since I was able to impersonate the change_manager user, I was unable to end the impersonation since the current user that I am currently logged in have both change_manager and itil role.

 

Is there a way to check that if I am impersonating a user with only one role and not both then I can be able to go back to my account? I know this is OOB but I think since I have made changes on the script include it's no longer working.

 

Appreciate all the help

0 Helpfuls
  • 1,177 Views
1 ACCEPTED SOLUTION

Go to solution
Arav
Tera Guru
In response to Evren Yamin

‎10-07-2022 12:21 AM

It would be something like this.

 

if(!gs.hasRole("change_manager"))

   current.addEncodedQuery("roles!=change_manager");

View solution in original post

0 Helpfuls
5 REPLIES 5

Go to solution
Arav
Tera Guru

‎10-05-2022 06:51 PM - edited ‎10-05-2022 06:57 PM

Hi,

 

Please share the script written so the community members can help.

 

As a best practice, it's better to avoid writing such logic in impersonation and keep it OOB.

Also, why would you want to open up impersonate access to all itil users ?

 

Thanks,

Arav

0 Helpfuls

Go to solution
Evren Yamin
Tera Contributor
In response to Arav

‎10-05-2022 08:09 PM

Hello, 

Here is the script

if(impersonatedUser.hasRole("change_manager")){

if(currentUser.hasrole("change_manager") && impersonatedUser.hasRole("itil")){

return true;

} else {

return false;

} else {

return true;

}

 

0 Helpfuls

Go to solution
Arav
Tera Guru
In response to Evren Yamin

‎10-05-2022 10:00 PM

@Evren Yamin For your use case, you may want to consider restricting the list of users available for impersonation. Please see below an article on this.

 

https://www.servicenow.com/community/now-platform-blog/how-to-limit-the-list-of-users-you-can-impers...

 

I tried this but had to change line 3 as follows in the BR to make it work as my URL had an additional parameter.

 

if(gs.action.getGlideURI().toString().indexOf("sysparm_for_impersonation=true&sysparm_type=ref_list_data") > -1){

 

You may want to check gs.action.getGlideURI() in your case and handle this as applicable.

 

Thanks,

Arav

0 Helpfuls

Go to solution
Evren Yamin
Tera Contributor
In response to Arav

‎10-06-2022 06:05 PM - edited ‎10-06-2022 06:24 PM

Hello,

Can you help how I can make this work if I am checking whether the users have specific role?

Like if the current user does not have change_manager role then that user cannot also see/impersonate a user with change_manager role

0 Helpfuls