COE policy

GhitaB · ‎04-14-2025

Can COE Security Policy Prevent a User from Seeing or Acting on an HR Case, Even with Correct Roles and Group Membership?

Hi everyone,

I'm troubleshooting an issue in my ServiceNow HRSD environment where a user cannot view or take action on HR Payroll cases although everything seems fine at first glance.

Here’s the situation:

The user has the appropriate HR roles (like sn_hr_core.case_reader).
The user is also part of the Assignment Group on the case.
However, the user cannot see the case or receive any notifications related to it.

My question is:
👉 Could this COE Security Policy difference be the reason why the user is unable to see or act on HR cases cause his group is not part of this coe policy — even though they have the right roles and are part of the Assignment Group?

Any confirmation or additional insights on how COE Security interacts with roles/groups would be greatly appreciated!

Laszlo Balla · ‎04-14-2025

That is absolutely a possible reason, in fact, the whole point of having the CoE Security Policies in place is to manage read/write access on a COE or HR Service level.

Take a look into the out of the box read or write ACL scripts on the sn_hr_core_case table - the underlying script includes are actually checking whether the user has a matching CoE Security Policy, and if not, they would already fail the ACL evaluation on the table level.

View solution in original post

Sandeep Rajput · ‎04-14-2025

@GhitaB If the Assignment group is not part of COE security policy then the user who is member of the assignment group having the sn_hr_core.case_reader will not be able to access the case data. Add the group in the COE policy and the case will be visible to the user.

View solution in original post

Laszlo Balla · ‎04-14-2025

That is absolutely a possible reason, in fact, the whole point of having the CoE Security Policies in place is to manage read/write access on a COE or HR Service level.

Take a look into the out of the box read or write ACL scripts on the sn_hr_core_case table - the underlying script includes are actually checking whether the user has a matching CoE Security Policy, and if not, they would already fail the ACL evaluation on the table level.

Sandeep Rajput · ‎04-14-2025

@GhitaB If the Assignment group is not part of COE security policy then the user who is member of the assignment group having the sn_hr_core.case_reader will not be able to access the case data. Add the group in the COE policy and the case will be visible to the user.

GhitaB · ‎04-14-2025

there s also something that i ve noticed is sometimes the assignment group is part of the COE security policy but the assigned to is not part of that assignment group he s only grouo member of two groups and none of them is part of COE security policy

Sandeep Rajput · ‎04-14-2025

@GhitaB Again even in this case they will not have access to the case as the user is not part of assignment group added on the COE security policy. It doesn't matter if the user is part of two other assignment groups or if they have sn_hr_core.case_reader role.

In order for the COE security policy to work.

1. User should be a part of Assignment group added on the COE Security policy

2. User should have sn_hr_core.case_reader role (to read the case)

Hope this clarifies the confusion