COE Security Policies not working - Only show to assigned user, in particular group

Go to solution
jcmings
Mega Sage

‎12-01-2023 09:57 AM - edited ‎12-01-2023 09:57 AM

I'm trying to set up a COE security policy such that a case is only visible to the Assigned To member of the assignment group.

 

To do this, I have entered my COE, applied the policy to a specific service, and applied the specific group to the Group condition. However, if I add a condition Assigned to | is (dynamic) | Me, users who are not the assigned to user can still see the case. Further, users who are NOT in the group specified can still view the case.

 

How would one accomplish locking down a specific case to only the assigned user? (Watch list, collaborators, etc, can be ignored from this question.)

 

0 Helpfuls
  • 1,453 Views
1 ACCEPTED SOLUTION

Go to solution
jcmings
Mega Sage

‎12-01-2023 12:29 PM - edited ‎12-01-2023 01:04 PM

Hello future readers, 

 

I am back with the answer to my own question. I don't think it is possible to limit cases to the Assigned To user only via COE policies. Here's why:

 

Imagine you create a COE security policy for...

  • HR Service = Visa Transfer,
  • Condition = Priority 5,
  • Type = Read,
  • Group = Tier 1

 

Because of the condition, this will allow the Tier 1 group, and the Tier 1 group alone, to read Priority 5 cases. If the condition were gone, only the Tier 1 group would see any cases of this HR Service. But because the condition is there, other groups can see non P5 cases.

 

If we apply this same logic to the Assigned To user condition, it makes sense why users in other groups can still see cases of the same HR Service. For example, a case Assigned To jc21 is only visible to Tier 1, but all cases not assigned to jc21 are visible. If we want to restrict all cases of the HR Service to only a particular group, we need to remove all conditions. The key point here is that the COE Security Policy evaluates the conditions of the HR Case on a case-by-case basis. If there's no conditions, it's all-encompassing. 

 

All that said... it sounds like you'll have to use a combo of COE Security Policies and ACLs to truly lock down a HR Service to both a group and an assigned user. 

View solution in original post

1 REPLY 1

Go to solution
jcmings
Mega Sage

‎12-01-2023 12:29 PM - edited ‎12-01-2023 01:04 PM

Hello future readers, 

 

I am back with the answer to my own question. I don't think it is possible to limit cases to the Assigned To user only via COE policies. Here's why:

 

Imagine you create a COE security policy for...

  • HR Service = Visa Transfer,
  • Condition = Priority 5,
  • Type = Read,
  • Group = Tier 1

 

Because of the condition, this will allow the Tier 1 group, and the Tier 1 group alone, to read Priority 5 cases. If the condition were gone, only the Tier 1 group would see any cases of this HR Service. But because the condition is there, other groups can see non P5 cases.

 

If we apply this same logic to the Assigned To user condition, it makes sense why users in other groups can still see cases of the same HR Service. For example, a case Assigned To jc21 is only visible to Tier 1, but all cases not assigned to jc21 are visible. If we want to restrict all cases of the HR Service to only a particular group, we need to remove all conditions. The key point here is that the COE Security Policy evaluates the conditions of the HR Case on a case-by-case basis. If there's no conditions, it's all-encompassing. 

 

All that said... it sounds like you'll have to use a combo of COE Security Policies and ACLs to truly lock down a HR Service to both a group and an assigned user.