After an admin user impersonates someone, the list in the impersonation dialog does not show other users apart from users that already appear in their recent impersonations list. This issue is caused by a security change in the way REST queries are processed. ACL processing occurs at a different point now, and in a more stringent fashion.
Steps to Reproduce
Log in as admin.
Impersonate Joe Employee (or any non roled or non itil user).
While impersonating Joe, try to impersonate another user.
Note that you can get back in only as yourself.
In this case, a non-admin user sends this query to the sys_user table:
If the user in question does not have read access to any of those items or to the sys_user table in general, the query is modified in such a way that causes the rest of the query to return no results. There may also be additional fields that the non-admin user does not have access to.
sys_user.locked_out is an example that applies to most scenarios, but there may be additional ACLs (per plugin activations or customizations) that result in the same issue.
As an example, if the non-admin user is failing access to the sys_user.locked_out field, you may take either of the following courses of action:
- Configure the base system READ ACL on the sys_user.locked_out field and give it a role that your impersonators have.
- Allow this ACL to pass for any role/user by removing the existing roles on the ACL.
For more information, see the product documentation topic Access control list rules.
Related Problem: PRB1156612