COE Security Policy to restrict access to cases based on Assignment Group

Yessi · ‎07-02-2024

Hey SN Community!

Is it possible to restrict case access for HR Agents based on their assignment group using a COE Security Policy?

For example: Person A is apart of HR Tier 1. There are currently 4 HR Benefits Cases. One is assigned to HR Tier 1, so Person A should only be able to view that 1 case out of the 4 available.

I've attempted to create a policy for our Benefits table, applicable to all services, and applies when condition - Assignment group is (dynamic) | One of my groups. I've attempted listing all our assignment groups and then again limiting it to a few. Either way all cases are viewable to everyone. Once I remove the Applies when condition, the COE Security Policy works and restricts access to those outside of the listed groups. Is it possible I'm using this Applies when condition incorrectly? Is it limited to certain use? Is anyone able to share examples of COE Security policies they've created?

Test Profile is not part of any of the listed groups but is still able to see Benefits cases.

Appreciate any feedback and tips!

michaelj_sherid · ‎07-19-2024

@Yessi Here is my configuration. I will have to test your use case based on your configuration (images you sent) but here you have to restrict all cases in order to use your second COE policy that states the allow. In my example I am restricting all COEs to only those that are in the assignment groups of the case are able to see.

Blocking all cases

Allowing any case assigned to one of my groups

Regards,

Mike

View solution in original post

Yessi · ‎07-03-2024

@Willem Hey Willem! I've seen your respond within a few COE security policy posts. I've attempted to create a policy that only allows HR Agents to see cases assigned to their group and I've listed all HR groups out. However, all cases are still visible to all HR Agents. Are there any other configurations that I could be missing to make this simplified policy work? Thanks in advance for your help!

How to restrict HR Case to particular Tier1 groups - Similar post you've responded to before.

Yessi · ‎07-16-2024

Hey @michaelj_sherid I've seen you respond within a few COE security policy posts. I've attempted to create a policy that only allows HR Agents to see cases assigned to their group and I've listed all HR groups out. However, all cases are still visible to all HR Agents. Are there any other configurations that I could be missing to make this simplified policy work? Thanks in advance for your help!

michaelj_sherid · ‎07-17-2024

Hi @Yessi there has to be another COE policy that is allowing access in order for this to happen. We would need to see all of your COE Security policies to determine for sure if this is your issue.

Regards,

Mike

Yessi · ‎07-18-2024

Hey Michael! This is the first COE Security Policy that's been created, no others exist. I've tested this within my PDI as well and get the same result. When using the condition Assignment Group is (dynamic) One of My Groups and listing only a select amount of groups or listing all our HR groups, they're still able to see all cases. All HR Agents are assigned the sn_hr_core.basic role. I tried what Sandeep suggested of removing the parent group HR from the other groups but this still didn't resolve the issue. Is it possible there's another configuration component I'm missing?

michaelj_sherid · ‎07-18-2024

@Yessi I would try this as a test..... Create a blank COE policy that restricts all cases, below is an image of what that would look like. Let us know if this changes the outcome of what you are seeing.

Regards,

Mike