- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2024 06:45 PM - edited 07-02-2024 06:47 PM
Hey SN Community!
Is it possible to restrict case access for HR Agents based on their assignment group using a COE Security Policy?
For example: Person A is apart of HR Tier 1. There are currently 4 HR Benefits Cases. One is assigned to HR Tier 1, so Person A should only be able to view that 1 case out of the 4 available.
I've attempted to create a policy for our Benefits table, applicable to all services, and applies when condition - Assignment group is (dynamic) | One of my groups. I've attempted listing all our assignment groups and then again limiting it to a few. Either way all cases are viewable to everyone. Once I remove the Applies when condition, the COE Security Policy works and restricts access to those outside of the listed groups. Is it possible I'm using this Applies when condition incorrectly? Is it limited to certain use? Is anyone able to share examples of COE Security policies they've created?
Test Profile is not part of any of the listed groups but is still able to see Benefits cases.
Appreciate any feedback and tips!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2024 01:06 PM
@Yessi Here is my configuration. I will have to test your use case based on your configuration (images you sent) but here you have to restrict all cases in order to use your second COE policy that states the allow. In my example I am restricting all COEs to only those that are in the assignment groups of the case are able to see.
Blocking all cases
Allowing any case assigned to one of my groups
Regards,
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
Thank you! That worked for us too!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Hey everyone,
I’m running into a similar issue and wanted to see if anyone has encountered this before.
The first issue we identified was that the out-of-box HR Basic role (sn_hr_core.basic) does not allow users to view all cases under HR Case Management > All. We did not have any existing COE Security Configurations in place, so our workaround was to create read and write ACLs on all HR child tables for the HR Basic role. This allowed users with that role to view cases from all HR case tables within the All module.
Our next requirement is to restrict case visibility based on assignment group membership, so users can only see cases assigned to groups they belong to.
Following Mark’s recommendation, I created one COE Security Configuration to restrict access across all tables, and then created another COE Security Configuration using the Assigned is dynamic condition and included the relevant assignment groups.
However, when I impersonate a test user, they are still able to see HR cases that belong to assignment groups they are not a member of.
Am I missing an additional configuration step, or is there something else that needs to be considered for the COE Security Configuration to properly enforce assignment group-based visibility?
Any guidance would be appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
@sophiasemga Were these HR cases that were created by those users? It is my guess that the HR Cases they can see they were the Opened By (separate from the Opened for).
Regards,
MIke