HR - COE Security Policies - Number of rows removed from this list by Security constraints: 20

Mr world wide · ‎12-21-2020

I want to share my experience with HR > COE Security Policies.

When we implement COE Security Policies access restriction will work fine, BUT there is an issue with the User experience.

"User cant able see the records and it throws ACL message like above screenshot", User had to navigate to next page to view records which is the worst experience.

Most of us know, we can fix this issue by adding the "Query business rule".

If we have Query business rules in place, what is the point of having COE Security Policies?

Anyway, I just want to share my query business rule for COE Security Policies, it can help some one.

Step 1:

Create a business rule:

Step 2:

Add the following script:

(function executeRule(current, previous /*null when async*/) {
	
	var sysAdmin	=	gs.getUser().hasRole('admin');
	var hrBasic		=	gs.getUser().hasRole('sn_hr_core.basic');
	var hrAdmin		=	gs.getUser().hasRole('sn_hr_core.admin');
	
	
	/* Get logged in user COE groups */
	var userCOEGroups = [];
	var grSnHrCoreM2mSecurityPolicyGroup = new GlideRecord('sn_hr_core_m2m_security_policy_group');
	grSnHrCoreM2mSecurityPolicyGroup.addEncodedQuery("groupDYNAMICd6435e965f510100a9ad2572f2b47744");
	grSnHrCoreM2mSecurityPolicyGroup.query();
	while (grSnHrCoreM2mSecurityPolicyGroup.next()) {
		userCOEGroups.push({'sys_id':grSnHrCoreM2mSecurityPolicyGroup.getUniqueValue(),'group':grSnHrCoreM2mSecurityPolicyGroup.getValue('group'),'group_name':grSnHrCoreM2mSecurityPolicyGroup.getDisplayValue('group'),'security_policy':grSnHrCoreM2mSecurityPolicyGroup.getValue('security_policy'),'security_policy_name':grSnHrCoreM2mSecurityPolicyGroup.getDisplayValue('security_policy')})	 
	}
	
	// gs.addInfoMessage(JSON.stringify(userCOEGroups));
	
	/* Build encode query */
	var userTaskType = '';
	var userCOEs = '';
	if(userCOEGroups){
		if(userCOEGroups.length){
			for (i = 0; i < userCOEGroups.length; i++) {
				// gs.addInfoMessage(i+'----i---and lenght---'+userCOEGroups.length);
				if(i == parseInt(userCOEGroups.length)-1){ //Last record
					userCOEs += new sn_hr_core.CustomSciptIncludeUtils().getCOEbyAssignmentGroup(userCOEGroups[i].group);	
					userTaskType += userCOEGroups[i].security_policy_name;
					}else{
					userCOEs += new sn_hr_core.CustomSciptIncludeUtils().getCOEbyAssignmentGroup(userCOEGroups[i].group)+',';
					userTaskType += userCOEGroups[i].security_policy_name+'^ORsys_class_name=';
				}
			}
		}
	}
	
	//gs.addInfoMessage(userCOEs);
	
	if(hrBasic && !hrAdmin && !sysAdmin){
		current.addEncodedQuery('assignment_groupDYNAMICd6435e965f510100a9ad2572f2b47744^u_hr_coeIN'+userCOEs+"^sys_class_name="+userTaskType+"^NQwatch_listDYNAMIC90d1921e5f510100a9ad2572f2b477fe");
	}
	
})(current, previous);

Venkat122 · ‎12-30-2021

Hi @Mr world wide ,

Thank you very much for sharing this. But, I have a question. how you are updating a custom field u_hr_coe on the case record?

SHUBHAM singh c · ‎01-19-2023

please share the script include as well that you are using

nagydanR · ‎07-02-2024

Create a simple Before Query Business Rule on the HR Case table. Add this to the Script part:

(function executeRule(current, previous /*null when async*/ ) {

var CurrUser = gs.getUserID();
var passedPolicy = new sn_hr_core.hr_SecurityUtils().getCoeSecurityPolicy(current, sn_hr_core.hr_SecurityUtils.READ, CurrUser);
gs.info("passedPolicy: " + passedPolicy);
gs.addErrorMessage("You are blocked by a COE!");

})(current, previous);

Like this post, if it has worked out for you 🙂