Impersonating users

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Impersonating Users

    ServiceNow administrators can impersonate other authenticated users to test and troubleshoot within the system. This feature allows admins to access ServiceNow exactly as the impersonated user, including the same menus, modules, and roles. All actions taken during impersonation are recorded in the system log as if performed by the impersonated user.

    Show full answer Show less

    Impersonation Limitations

    • Access to scope-protected roles and encryption module roles depends on the configuration of the Impersonation option in the module access policy.
    • When impersonating users with admin roles, access to some features and modules is restricted if the impersonating administrator does not already have those roles.
    • Specifically, impersonating users with application-specific admin roles (e.g., Human Resources admin, Security Incident Response) limits access to related modules and profile information unless the impersonator has those roles.
    • Admins cannot change passwords of users with application admin roles during impersonation.
    • Impersonation ends when the admin impersonates another user or when the session ends (e.g., logout).

    Impersonation Requirements

    • The user to be impersonated must have a valid user ID in their User [sysuser] record; otherwise, impersonation is not possible.
    • Multiple user accounts with different roles (e.g., admin, ITIL technician, ESS user) may be needed for thorough testing.
    • Impersonating locked or inactive users will result in automatic logout upon any action.
    • Changes made during impersonation affect only that session; it is recommended to log out and back in after impersonation to ensure accuracy.

    Additional Features and Management

    • Mobile impersonation is supported on ServiceNow mobile apps, enabling testing on mobile platforms.
    • Administrators must enable visibility of the impersonation feature before users can use it.
    • Impersonation actions are logged via 'Impersonate Begin' and 'Impersonate End' events in the system log for auditing and tracking.
    • Admins can select or enter the user name to start impersonation.

    Administrators are able to impersonate other authenticated users, a feature primarily used for testing.

    This function enables the administrator to access the system exactly as the impersonated user, including identical menus and modules. All actions performed by the administrator during impersonation are recorded as if they were executed by the impersonated user.

    Impersonation example

    Impersonation limitations

    When you impersonate a user, all scope-protected roles and encryption module roles are supported if the Impersonation option is configured in the module access policy. See Create a module access policy for details.

    Impersonating a user enables access to scope-protected and encryption roles, as defined in the access policy. However, if impersonating a user with an admin role, access to certain features and modules is limited unless the impersonator already possesses those roles.

    Impersonating a user with an application-specific admin role, like Human Resources admin or Security Incident Response, limits access to certain features such as security incidents and profile information, unless these roles are already assigned to the impersonating admin. This restriction extends to certain modules and applications in the navigation bar, and admins can’t change the password of users with application admin roles.

    The following actions or conditions cause a user impersonation to end:
    • The user impersonates a different user
    • The user session ends, for example after a user logs out of their instance
      Note:
      When an administrator starts impersonating a user, the 'Impersonate Begin' event is logged in the system log. Similarly, the 'Impersonate End' event is recorded when impersonation concludes under one of the two conditions listed above.

    Impersonation requirements

    The user account to be impersonated must have a user ID. You can find this ID in the User [sys_user] record for the account. If this value is missing, the message The user you selected could not be impersonated appears.

    You need several different accounts to test the system.

    • An admin account to do work
    • An information technology infrastructure library (ITIL), or similar, account to test as a technician
    • An ESS account to test as an end user
    More logins may be required to adequately test the system.
    Note:
    If you try to impersonate a user who is either locked out or inactive, the system will automatically log you out if you initiate an action or select a link. Remember that all changes made during impersonation only apply to that session. To help ensure accuracy, log out and then log back in after completing the impersonation.

    Mobile impersonation

    Mobile impersonation is available on ServiceNow mobile apps. For information on mobile impersonations, see Mobile impersonation.