Prevent impersonating user from viewing application data

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use system properties to prevent an impersonating user from viewing application data.

    Prevent admin level from accessing the application specific data belonging to that user when impersonating an account. This permission can be set at the application level by creating a system property specific to the application.

    These system properties use the <scope>.impersonateCheck naming format (for example sn_hr_core.impersonateCheck). Create a system property with a value of true to prevent users from accessing the application-specific data belonging to another user when impersonating an account.

    Note:
    Not all applications are designed to work in this configuration or have a System Properties [sys_properties] record for this purpose. The following scopes are configured to work with this property.
    • sn_opp_market
    • sn_jny
    • sn_imt_vaccine
    • sn_imt_health_test
    • sn_hr_core
    • sn_egd_goals
    • sn_egd_core
    • sn_egd_act
    • sn_em
    • sn_talent_aia
    • sn_ecn

    For each application with the <scope>.impersonateCheck property in the System Properties [sys_properties] table, ensure the property value is set to true.

    Note:
    These properties can only be modified by the scoped administrator for the specific application.

    Use this script to find which properties need to be updated or created on the instance:

    var properties = [
        'sn_opp_market.impersonateCheck',
        'sn_jny.impersonateCheck',
        'sn_imt_vaccine.impersonateCheck',
        'sn_imt_health_test.impersonateCheck',
        'sn_hr_core.impersonateCheck',
        'sn_egd_goals.impersonateCheck',
        'sn_egd_core.impersonateCheck',
        'sn_egd_act.impersonateCheck',
	'sn_em.impersonateCheck',
	'sn_talent_aia.impersonateCheck',
        'sn_ecn.impersonateCheck'
    ];

    var pm = new GlidePluginManager();

    for (var i = 0; i < properties.length; i++) {
        var property = properties[i];
        var application = property.split('.')[0];
        var propertyValue = gs.getProperty(property, 'false');

        if (pm.isActive(application) && propertyValue.toLowerCase() != 'true') {
            gs.print(property);
        }
    }

    More information

    Attribute Description
    Configuration name <scope>.impersonateCheck
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value false
    Fallback value false
    Category Access control
    Security risk
    • Severity score: 3.8
    • CVSS score: Low
    • A value of false for these properties allows an admin level user to impersonate another user and access application data with the impersonated user's access. This may be undesirable or allow for unauthorized data access in specific application contexts.
    Functional impact Admin level users are not be able to impersonate another user and view that user's data in a specific application context.
    Dependencies and prerequisites None

    To learn more about adding or creating a system property, see Add a system property.