Hey SN Community!
Is it possible to restrict case access for HR Agents based on their assignment group using a COE Security Policy?
For example: Person A is apart of HR Tier 1. There are currently 4 HR Benefits Cases. One is assigned to HR Tier 1, so Person A should only be able to view that 1 case out of the 4 available.
I've attempted to create a policy for our Benefits table, applicable to all services, and applies when condition - Assignment group is (dynamic) | One of my groups. I've attempted listing all our assignment groups and then again limiting it to a few. Either way all cases are viewable to everyone. Once I remove the Applies when condition, the COE Security Policy works and restricts access to those outside of the listed groups. Is it possible I'm using this Applies when condition incorrectly? Is it limited to certain use? Is anyone able to share examples of COE Security policies they've created?
Test Profile is not part of any of the listed groups but is still able to see Benefits cases.
Appreciate any feedback and tips!
@Yessi Here is my configuration. I will have to test your use case based on your configuration (images you sent) but here you have to restrict all cases in order to use your second COE policy that states the allow. In my example I am restricting all COEs to only those that are in the assignment groups of the case are able to see.
Blocking all cases
Allowing any case assigned to one of my groups
Regards,
Mike
@michaelj_sherid We're operating on Washington DC P4 HF1. Below is the hr_SecurityUtils which seems to match my PDI as well. I can see both snc_internal & snc_external within our dev instance. However, I can't see it within my PDI.
I'm able to create the below COE Security Policy and limit a table to only certain groups within our dev instance and my PDI, however, I'd ideally prefer to create the policy indicating Assignment Group is (dynamic) one of my groups. So an HR Agent can only see cases assigned to groups they're a member of.
I really appreciate you taking the time out to help me figure this out.
var hr_SecurityUtils = Class.create();
hr_SecurityUtils.READ = 'read';
hr_SecurityUtils.WRITE = 'write';
hr_SecurityUtils.prototype = {
initialize: function() {
},
/* Evaluate the security policies for a given COE
* @param GlideRecord caseGr The case record
* @param String operation "read" or "write"
* @return Boolean Whether the current user passes the security policy or not
*/
getCoeSecurityPolicy: function(caseGr, operation, userId) {
var tableName = caseGr.sys_class_name || caseGr.getTableName(); //initialize with extending table name if exists
var tableHierarchy = new GlideTableHierarchy(tableName);
//parent hierarchy is list of parent tables of this table which is (getHierarchy - getAllExtensions)
var allExtensions = tableHierarchy.getAllExtensions();
var parentHierarchy = tableHierarchy.getHierarchy().filter(function (table) {
return allExtensions.indexOf(table) === -1;
});
// Query to get policies of parent tables if the applies_child_coe is true OR policies where coe is current table
var coeQuery = "applies_to_all_child_coes=true^coeIN" + parentHierarchy + "^NQcoe=" + tableName;
var operationQuery = "type=" + operation;
//Handle invalid input
if ((operation !== hr_SecurityUtils.READ && operation !== hr_SecurityUtils.WRITE) || !tableName)
return false;
if (operation == hr_SecurityUtils.READ)
operationQuery = "type=" + hr_SecurityUtils.READ + "^ORtype=" + hr_SecurityUtils.WRITE;
var grPolicy = new GlideRecord('sn_hr_core_coe_security_policy');
grPolicy.addEncodedQuery(coeQuery);
grPolicy.addEncodedQuery(operationQuery);
grPolicy.addActiveQuery();
grPolicy.query();
if (!grPolicy.hasNext())
return true;
var policyFound = false;
while (grPolicy.next()) {
var allServices = grPolicy.all_services;
if (!allServices) {
var services = grPolicy.getValue('services');
if (services.indexOf(caseGr.getValue('hr_service')) < 0)
continue;
}
var filterCondition = !grPolicy.getValue('applies_when') || GlideFilter.checkRecord(caseGr, grPolicy.getValue('applies_when'), true);
if (!filterCondition)
continue;
policyFound = true;
if (this._evaluateRule(grPolicy, userId))
return true;
}
return !policyFound;
},
_evaluateRule: function (grPolicy, userId) {
var userObj = gs.getUser();
var groupsGr = new GlideRecord('sn_hr_core_m2m_security_policy_group');
groupsGr.addQuery('security_policy', grPolicy.getUniqueValue());
groupsGr.query();
var groups = [];
while (groupsGr.next()) {
if (userId)
groups.push(groupsGr.group.toString());
else
groups.push(groupsGr.group.name.toString());
}
var groupUtil = new global.HRSecurityUtils();
var passedGroups = false;
for (var i = 0; i < groups.length; ++i) {
if (userId) {
if (groupUtil.isMemberOfGroup(userId, groups[i])) {
passedGroups = true;
break;
}
} else if (userObj.isMemberOf(groups[i])) {
passedGroups = true;
break;
}
}
return passedGroups;
},
type: 'hr_SecurityUtils'
};
@Yessi Here is my configuration. I will have to test your use case based on your configuration (images you sent) but here you have to restrict all cases in order to use your second COE policy that states the allow. In my example I am restricting all COEs to only those that are in the assignment groups of the case are able to see.
Blocking all cases
Allowing any case assigned to one of my groups
Regards,
Mike
