Allow HR Agents to see some HR Case Fields when they don't pass the COE policies

Go to solution
ErinF
Tera Expert

‎11-28-2023 10:10 AM

HR Agents can only see HR Cases when they meet the COE Security Policies (or pass the employee checks). I have a requirement to allow HR Agents to see a limited number of fields (number, opened for, assignment group) for all HR Cases, but only see the full case details if they pass the COE policies. 

 

Any creative ideas on how to meet this requirement? Any concerns/considerations that I should be thinking about? 

 

Thanks for any thoughts! 

0 Helpfuls
  • 1,375 Views
1 ACCEPTED SOLUTION

Go to solution
Max Dore
ServiceNow Employee
ServiceNow Employee
In response to ErinF

‎11-30-2023 11:55 AM

COE Security Policies only dictate the Read capabilities of an entire row (record) within a table, not the individual fields. To specify what fields a User can Read, you'd do that in ACLs. 

So you could leave the row level ACLs out of the box, specify who can/can't see the fields in ACLs, and use COE Security Policies to dictate who can Read the records. That way, if a user can see the case (evaluated by COE Security Policy), they can see only the fields the ACLs allow. 

FYI Starting in Vancouver, you can apply the parent COE security policy to its child COEs so that yo...

 

View solution in original post

0 Helpfuls
3 REPLIES 3

Go to solution
Max Dore
ServiceNow Employee
ServiceNow Employee

‎11-29-2023 12:35 PM

Security is set so that ACL is evaluated first, then COE Security Policies are applied. As a result, if an ACL results in an agent not being allowed to see a case, it doesn't matter what a COE security policy dictates. Therefore, the security evaluation needs to be done first in ACLs.

Go to solution
ErinF
Tera Expert
In response to Max Dore

‎11-30-2023 09:33 AM

Thanks Max. The situation I am running into is that I have ACLs set up where agents can see a case, but then the COE security is blocking them. I want all HR Agents to see 4 HR Case fields across all COEs, but then be able to see the remaining fields if they pass the COE policy. But it doesn't seem possible based on what you described. If they are blocked by a COE policy, there is no way to override that for certain basic fields? 

0 Helpfuls

Go to solution
Max Dore
ServiceNow Employee
ServiceNow Employee
In response to ErinF

‎11-30-2023 11:55 AM

COE Security Policies only dictate the Read capabilities of an entire row (record) within a table, not the individual fields. To specify what fields a User can Read, you'd do that in ACLs. 

So you could leave the row level ACLs out of the box, specify who can/can't see the fields in ACLs, and use COE Security Policies to dictate who can Read the records. That way, if a user can see the case (evaluated by COE Security Policy), they can see only the fields the ACLs allow. 

FYI Starting in Vancouver, you can apply the parent COE security policy to its child COEs so that yo...

 

0 Helpfuls