The Zurich release has arrived! Interested in new features and functionalities? Click here for more

HRSD - Security Data Filter VS CoE Security Policies

Filipe Cruz
Kilo Sage
Kilo Sage

9 hours ago

Hello all!
I would like to have your opinion in a topic related with restricting/securing access to the HR Cases.

At the moment we manage the case visibility at agent level based on a Before Query Business Rule: the BR adds to the encoded query a dynamic filtering based on the assignment group and based on a custom field that aggregates watch list, subject person, opened for, opened by.

We want to get rid of this setup since it is not good enough to scale and to provide the performance quality we are trying to aim.

Two options came to the top of the table:
- CoE Security Policies (ACL based)
- Security Data Filter (SDF)

I have pros and cons for both solutions, I will try to explain here my point of view.

- With SDF, we filter the record set based on specific conditions, so we only get from the database what we want. Challenge here is related with all additional conditions that are attached to the WHERE clause of the select statements when an HR agent is doing a specific filtering in Agent Workspace (by using a list). Will that query use the correct indexes? Is the query using Union Replacements? What if a different query pattern is detected?

- With CoE Security Policies, the system basically retrieves the cases according to the list view filters and the, at the application layer, checks the ACLs for the different access rights (CRUD). But here, the same query executed with SDF will be executed with CoE SP, since we want to prevent the agent to see the "X amount of records hidden to security constraints". So agents should only see the list of cases that corresponds to the SDF filtering conditions (that are the same conditions we are using today in the before query BR).

So, in both cases, we need to perform filtering at the database level (being that the filter in the SDF or the filter in the lists the agent is using). ACLs should also be in place to make sure the agent only sees what he/she is meant to see.

Considering the vectors of security, upgradability, performance, manageability and user experience, what is your recommendation to solve this challenge? And why?

I'm looking forward to get your feedback on this topic!

Best Regards,

Filipe

Labels:
0 Helpfuls
  • 22 Views
0 REPLIES 0