126 views

Description

Symptoms

Non-admin users can use the functionality of "impersonate". However, they cannot see any users in the user drop list.

Release

Any release.

Cause

This issue is caused by the orphaned "sys_user_has_role" records like "[user: null; role: admin]"

Resolution

Troubleshooting steps:

1. Log in as adminĀ 

2. Navigate to the "/impersonate_dialog.do" page.

3. Click the user lookup to search users.

4. Copy the URL.

5. Log in as a non-admin user.

6. Repeat step 2~4 to get the URL.

admin user:

https://<instance_name>.service-now.com/sys_user_list.do?sysparm_target=QUERY:active%3Dtrue%5Elocked_out%3Dfalse%5Eweb_service_access_only%3Dfalse%5EORweb_service_access_onlyISEMPTY&sysparm_target_value=&sysparm_reference_value=&sysparm_nameofstack=reflist&sysparm_clear_stack=true&sysparm_element=not&sysparm_reference=sys_user&sysparm_view=sys_ref_list&sysparm_additional_qual=&sysparm_domain_restore=false

non-admin user:

https://<instance_name>.service-now.com/sys_user_list.do?sysparm_target=QUERY:active%3Dtrue%5Elocked_out%3Dfalse%5Eweb_service_access_only%3Dfalse%5EORweb_service_access_onlyISEMPTY%5Eroles!%3Dadmin&sysparm_target_value=&sysparm_reference_value=&sysparm_nameofstack=reflist&sysparm_clear_stack=true&sysparm_element=not&sysparm_reference=sys_user&sysparm_view=sys_ref_list&sysparm_additional_qual=&sysparm_domain_restore=false

7. Compare the differences between the two URLs.

There is an extra query condition "roles!=admin" for non-admin user.

8. Log in as admin.

9. Navigate to 'sys_user.list'.

10. Add "roles!=admin" to the list condition builder.

11. The query result is empty.

12. Enable session SQL debug.

13. Query again and get SQL from session logs.

14. The system uses SQL like "select *** from sys_user where sys_id not in (select user from sys_user_has_role where role='sys_id_of_admin')".

15. This will cause "not in (null)" due to the orphaned "sys_user_has_role" records like "[user: null; role: admin]".

16. The issue is fixed after deleting these orphaned records.

Article Information

Last Updated:2020-06-14 18:26:57
Published:2020-06-15