Cannot insert record in sys_user_grmember when impersonating a user group

davilu · ‎09-21-2022

Our team created a user group called HR Specialists that have the following roles:

sn_hr_core.user_admin_lite
sn_hr_core.basic
approver_user
sn_hr_sp.hrsp_employee
sn_hr_core.hrsm_employee

We also have a Business rule that triggers AFTER insert on the HR Profile table that looks like this:

(function executeRule(current, previous /*null when async*/) {

	// Add your code here
	var user = current.user;
	var member = new GlideRecord('sys_user_grmember');
	member.initialize();
	member.user = user;
	member.group = 'e83e6990ed99001085fd8da09bd82d4f';
	member.insert();
	gs.addErrorMessage(member.group);
	gs.addErrorMessage(member.user);
})(current, previous);

This works perfectly fine when we create a new HR Profile as an Admin, however when we impersonate a HR Specialist, it refuses to insert into the sys_user_grmember table. The Business Rules trigger because the error messages show, but there seems to be something blocking HR Specialists from being to add to that table. Any suggestions?

Uncle Rob · ‎09-21-2022

Guessing its because the HR Specialists don't have access to create group memberships.

You can test this by impersonating an HR Specialist, going to the group from manually, then trying to add a user via the related list.

I believe the OOB role that allows this is user_admin.

davilu · ‎09-21-2022

Thanks @Robert Fedoruk ! You are right, when impersonating an HR Specialist, the "New" button is not available for them on sys_user_grmember. Is there a way around this besides providing user_admin to HR Specialists? We tried adding a "create" ACL on the sys_user_grmember table for role sn_hr_core.user_admin_lite, but doesn't seem to work. Thanks for your help.