Anonymous reporting center

RosemaryHealy
Tera Contributor

‎04-18-2025 03:59 PM

Hello,

We recently installed Anonymous Report Center and are trying to build out the OOTB record producer and Hr service.  I am having trouble finding the correct role to assign my HR agents so they can see the cases that are created from the ARC - when I set up an HR group with all the sn_hr_er_case roles - they are still encountering "security restraints" when trying to open cases in the Agent Workspace.

I can get the case to assign to the correct group, but when I impersonate the user and try to open the case, the following error pops up.  I assume it is a role/ACL issue but I cannot find any information about how to set up agents to work on ARC cases.  Any help appreciated.

RosemaryHealy_0-1745017047166.png

 

0 Helpfuls
  • 504 Views
1 REPLY 1

MC30
Tera Guru

‎04-20-2025 10:31 PM

Hi Rosemary,

 

"Security constraints prevent access to requested page” in Agent Workspace confirms that the issue lies in Declarative Action Security (DAS) or Workspace View ACLs, specifically for ARC cases (sn_hr_arc_report table).

 

Step 1: Assign the Correct Roles
You mentioned assigning sn_hr_er_case.* roles — but ARC uses a different table, so it needs ARC-specific roles.
Assign these roles to your HR agent group or individual agents:

Role NameDescription
sn_hr_arc.agentAllows working on ARC cases
sn_hr_arc.readerGrants read access to ARC cases
sn_hr_core.case_readerRequired for Workspace case viewing

 

Step 2: Check Workspace Security Policies (MOST IMPORTANT)
Agent Workspace uses Workspace Security Policies that work like ACLs, but only for Workspace.
To view and update these:
1 Go to Now Experience Framework > Security Policies
2 Filter:
◦ Table: sn_hr_arc_report
◦ Experience: Agent Workspace
3 Look for a policy like:
◦ View Record
◦ Open Record
4 Open the record and check these fields:
◦ Applies to role: Make sure your HR agents' role (e.g., sn_hr_arc.agent) is listed
◦ Condition: Review if there’s a script or condition blocking access
If no policy exists for sn_hr_arc_report:
You’ll need to create one:

New Security policy example:

 

FieldValue
NameARC Case View
Tablesn_hr_arc_report
ExperienceAgent Workspace
Action

View Record

Applies to Roles

sn_hr_arc.agent

 

Step 3: Test With Debugging Enabled
If you're still stuck, you can use a special debug mode in Workspace to see exactly what security policy is blockingaccess.
Steps:
1 Log in as the HR agent
2 Open Agent Workspace
3 In a new browser tab, paste this: USE THIS IN LOWER INSTANCE NOT IN PRODUCTION

https://<your-instance>.service-now.com/$workspace-catalog.debug=true

 4. Go back to workspace and open the ARC case

5. You will see console logs like this:

[DeclarativeSecurity] View Record denied: missing role sn_hr_arc.reader

This tells you exactly what's the missing (role, condition, or policy)

 

Step 4: Verify ACLs (for classic UI access)
While Workspace mostly uses Security Policies, it may fall back to ACLs in some cases.
1 Go to System Security > Access Control (ACL)
2 Filter by Table: sn_hr_arc_report
3 Check any read, write, or view ACLs
4 Ensure your agents’ roles (especially sn_hr_arc.agent) are listed

Step 5: Check the Agent’s Group Access
Sometimes, agents belong to the correct group, but group access to the case is restricted:
• Open an ARC case record
• Check:
◦ Assignment group field
◦ Can read, Can edit related list (if any)
• Ensure the HR agent’s group is:
◦ Assigned to the case
◦ Has permission to read or edit the record

 

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Madhuri

 

0 Helpfuls