COE Security Policy to restrict access to cases based on Assignment Group

Yessi
Tera Contributor

Hey SN Community! 

Is it possible to restrict case access for HR Agents based on their assignment group using a COE Security Policy?

For example: Person A is apart of HR Tier 1. There are currently 4 HR Benefits Cases. One is assigned to HR Tier 1, so Person A should only be able to view that 1 case out of the 4 available.

I've attempted to create a policy for our Benefits table, applicable to all services, and applies when condition - Assignment group is (dynamic) | One of my groups. I've attempted listing all our assignment groups and then again limiting it to a few. Either way all cases are viewable to everyone. Once I remove the Applies when condition, the COE Security Policy works and restricts access to those outside of the listed groups. Is it possible I'm using this Applies when condition incorrectly? Is it limited to certain use? Is anyone able to share examples of COE Security policies they've created?

 

Yessi_0-1719969504589.png

Test Profile is not part of any of the listed groups but is still able to see Benefits cases.

Yessi_1-1719970201718.png

Appreciate any feedback and tips!

1 ACCEPTED SOLUTION

@Yessi Here is my configuration. I will have to test your use case based on your configuration (images you sent) but here you have to restrict all cases in order to use your second COE policy that states the allow. In my example I am restricting all COEs to only those that are in the assignment groups of the case are able to see.

 

Blocking all cases

michaelj_sherid_0-1721419525138.png

 Allowing any case assigned to one of my groups

michaelj_sherid_1-1721419576061.png

 

Regards,

Mike

 

 

View solution in original post

22 REPLIES 22

Thank you! That worked for us too!

sophiasemga
Mega Sage

Hey everyone,

I’m running into a similar issue and wanted to see if anyone has encountered this before.

The first issue we identified was that the out-of-box HR Basic role (sn_hr_core.basic) does not allow users to view all cases under HR Case Management > All. We did not have any existing COE Security Configurations in place, so our workaround was to create read and write ACLs on all HR child tables for the HR Basic role. This allowed users with that role to view cases from all HR case tables within the All module.

Our next requirement is to restrict case visibility based on assignment group membership, so users can only see cases assigned to groups they belong to.

Following Mark’s recommendation, I created one COE Security Configuration to restrict access across all tables, and then created another COE Security Configuration using the Assigned is dynamic condition and included the relevant assignment groups.

However, when I impersonate a test user, they are still able to see HR cases that belong to assignment groups they are not a member of.

Am I missing an additional configuration step, or is there something else that needs to be considered for the COE Security Configuration to properly enforce assignment group-based visibility?

Any guidance would be appreciated.

@sophiasemga Were these HR cases that were created by those users? It is my guess that the HR Cases they can see they were the Opened By (separate from the Opened for).


Regards,

MIke