End impersonation for users with low roles

Go to solution
Evren Yamin
Tera Contributor

‎10-05-2022 05:15 PM

Hello,

 

I was building a script on the existing script include "ImpersonateEvaluator" and I was able to to check that if a user that I'm trying to impersonate has a change_manager role, then the current user should have both itil and change_manager role. If the current user only has the itil then the current user will not be able to impersonate a user with a change_manager role.

 

My issue now is the end impersonation. Since I was able to impersonate the change_manager user, I was unable to end the impersonation since the current user that I am currently logged in have both change_manager and itil role.

 

Is there a way to check that if I am impersonating a user with only one role and not both then I can be able to go back to my account? I know this is OOB but I think since I have made changes on the script include it's no longer working.

 

Appreciate all the help

0 Helpfuls
  • 950 Views
1 ACCEPTED SOLUTION

Go to solution
Arav
Tera Guru
Tera Guru
In response to Evren Yamin

‎10-07-2022 12:21 AM

It would be something like this.

 

if(!gs.hasRole("change_manager"))

   current.addEncodedQuery("roles!=change_manager");

View solution in original post

0 Helpfuls
5 REPLIES 5

Go to solution
Arav
Tera Guru
Tera Guru

‎10-05-2022 06:51 PM - edited ‎10-05-2022 06:57 PM

Hi,

 

Please share the script written so the community members can help.

 

As a best practice, it's better to avoid writing such logic in impersonation and keep it OOB.

Also, why would you want to open up impersonate access to all itil users ?

 

Thanks,

Arav

0 Helpfuls

Go to solution
Evren Yamin
Tera Contributor
In response to Arav

‎10-05-2022 08:09 PM

Hello, 

Here is the script

if(impersonatedUser.hasRole("change_manager")){

if(currentUser.hasrole("change_manager") && impersonatedUser.hasRole("itil")){

return true;

} else {

return false;

} else {

return true;

}

 

0 Helpfuls

Go to solution
Arav
Tera Guru
Tera Guru
In response to Evren Yamin

‎10-05-2022 10:00 PM

@Evren Yamin For your use case, you may want to consider restricting the list of users available for impersonation. Please see below an article on this.

 

https://www.servicenow.com/community/now-platform-blog/how-to-limit-the-list-of-users-you-can-impers...

 

I tried this but had to change line 3 as follows in the BR to make it work as my URL had an additional parameter.

 

if(gs.action.getGlideURI().toString().indexOf("sysparm_for_impersonation=true&sysparm_type=ref_list_data") > -1){

 

You may want to check gs.action.getGlideURI() in your case and handle this as applicable.

 

Thanks,

Arav

0 Helpfuls

Go to solution
Evren Yamin
Tera Contributor
In response to Arav

‎10-06-2022 06:05 PM - edited ‎10-06-2022 06:24 PM

Hello,

Can you help how I can make this work if I am checking whether the users have specific role?

Like if the current user does not have change_manager role then that user cannot also see/impersonate a user with change_manager role

0 Helpfuls