Employee Relations Application Setup - ER Admin role

Kohei Tominaga1
Tera Expert

‎12-19-2023 05:30 PM

Hi,

 

I am learning how to setup and how to use the Employee Relations application in my PDI with referencing Docs article.

In my understanding, ER cases include very sensitive data and they are strictly restricted to be accessed.

I have confirmed that ER agent can access ER cases but HR agent without ER case reader role cannot access them. I think this behavior is good but it is not good that HR Admin users can access ER case which I confirmed in my PDI.

Do I need to remove ER Admin role from HR Admin role like when I remove HR admin role from Admin roke? Is there any instruction to do so?

 

Best Regards,

Kohei

0 Helpfuls
  • 1,445 Views
11 REPLIES 11

Kohei Tominaga1
Tera Expert
In response to ahefaz1

‎12-24-2023 05:02 PM

Hi, Ahefaz

 

Thank you for your comment.

Yes, That's correct that ER restricted case are only readable by them with your mentioned condition.

However the slide is saying that users in watch list and collaborators can read and update the case.... Do you know what this means?

0 Helpfuls

ahefaz1
Mega Sage
In response to Kohei Tominaga1

‎12-30-2023 08:22 AM - edited ‎12-30-2023 08:24 AM

@Kohei Tominaga1 

 

The collaborator on an ER case needs to have the ER case writer role. They are able to edit/write to a limited number of fields on the er case as well as read the er case. Therefore the read and update for the collaborators has been marked in green.

 

For the users in the watch list, they are able to add additional comments to an ER case. Navigating to an ER case can be done via the notifications they receive. Hence the read and update for the watch list.

 

Mark Helpful, if this helped.

 

Thanks,

Susan Britt
Mega Sage
Mega Sage

‎12-20-2023 02:43 PM

Hi Kohei,

 

You are correct that if you do not want the HR Admin users to have access to ER, you would remove the ER Admin role from it similar to how you did the system Admin role.  I would caution to make sure you have at least 2 people, that are familiar with managing the ER application, with this role though, so you don't lose the ability to support/configure it.  So far in my work, clients have had HR Admin locked down well enough that those same people are ok having ER Admin access also.  

Kohei Tominaga1
Tera Expert
In response to Susan Britt

‎12-20-2023 03:56 PM

Hi, Susan

Thank you for your comment.

I understood that if we need to restrict access ER case by HR Admin we have to remove ER admin role from HR Admin role.
However, I cannot find any official instruction to do so though Docs is saying to remove HR Admin roe from Admin. Considering about this, ServiceNow might be thinking that we should grant HR Admin role to users who are permitted to access ER Cases. How do you think?

 

In my situation, HRSD operation team has HR admin role so that they can maintain HR group members in Prod. But they might not be permitted to access ER case. Then, I have to remove HR Admin role from them. What role should I grant them instead?

0 Helpfuls

Susan Britt
Mega Sage
Mega Sage
In response to Kohei Tominaga1

‎12-20-2023 04:27 PM

If HR ops only needs the HR Admin role to maintain the group members, you can grant them user_admin role; or create a custom role for that group.  They'd need write access to the sys_user_grmember table (i.e., create ACLs for that role).

 

To remove sn_hr_er.admin from the sn_hr_core.admin role:

  1. Make sure some user(s) have sn_hr_er.admin role first (preferably via a group and not directly assigned to the user)
  2. Open the sn_hr_core.admin role record
  3. From the "Contains Roles" related list/tab at the bottom, click "Edit"
    • SusanBritt_0-1703118428901.png

       

  4. Remove the sn_hr_er.admin role from the right-hand side (Contains Role List)
    • SusanBritt_1-1703118456564.png

       

  5. Save
0 Helpfuls