Hide HR case from specific users

ghitabahaj · 4 weeks ago

Hi everyone,

I’m trying to restrict visibility of HR Lifecycle cases (sn_hr_le_case) for a specific population so that i'll be hidden from the portal as well, but I’m seeing unexpected behavior.

i created one ACL

but when impersonating the user and type sn_hr_le_case.LIST he still can see the cases

ghitabahaj · 3 weeks ago

i've updated the ACL to this and remove the script and it worked

View solution in original post

Chaitanya ILCR · 4 weeks ago

Hi @ghitabahaj ,

if my understanding is correct if the logged in user is a subcontractor from spain they should not be able to see any offboarding cases (or they should not see only their own offboarding cases?)

if they should not only their own case you can add a extra condition in the applies to (not in the data condition) that subject person is dynamic ME (ignore this if it's the first case)

also check the country field looks like it's a reference field.

look at the comments on each line

answer = (function() {

    // Always allow admins / HR admins
    if (gs.hasRole('admin') || gs.hasRole('sn_hr_admin')) {
        return true;
    }

    // Safety checks
    if (!current.subject_person) {
        return true;
    }

    // Get subject person's HR profil
    var hrProfile = new sn_hr_core.hr_Profile(gs.getUserID(), gs).getCurrentProfile(current.sys_id);


    var employmentType = hrProfile.employment_type + '';
    var country = '';
    if (hrProfile.u_legal_entity && hrProfile.u_legal_entity.u_country)
        country = hrProfile.u_legal_entity.u_country; //isn't u_country a refernce field? looks like it is from the ACL description if yes replace the country value with sysid in the return statement



    return !(employmentType == 'subcontractor' || employmentType == 'Subcontractor') &&
        (country.name == 'Spain' || country == 'put the sysid of the contry here'); //replace with country sysid


})();

Note: remove the data condition

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

ghitabahaj · 4 weeks ago

i've updated with this but he still can see the offboarding cases.

and yes i need to hide the offboarding cases from the Spain subcontractor where he is the subject person

answer = (function() {

    // Always allow admins / HR admins
    if (gs.hasRole('admin') || gs.hasRole('sn_hr_admin')) {
        return true;
    }

    // Safety checks
    if (!current.subject_person) {
        return true;
    }

    // Get subject person's HR profil
    var hrProfile = new sn_hr_core.hr_Profile(gs.getUserID(), gs).getCurrentProfile(current.sys_id);


    var employmentType = hrProfile.employment_type + '';
    var country = '';
    if (hrProfile.u_legal_entity && hrProfile.u_legal_entity.u_country)
        country = hrProfile.u_legal_entity.u_country; //isn't u_country a refernce field? looks like it is from the ACL description if yes replace the country value with sysid in the return statement



    return !(employmentType == 'subcontractor' || employmentType == 'Subcontractor') &&
        (country.name == 'Spain' || country == '4938b7111b121100763d91eebc0713f1'); //replace with country sysid


})();

Chaitanya ILCR · 4 weeks ago

Hi @ghitabahaj ,

just keep the applies to filter to "HR Service IS Offboarding Request) and remove other filters

and update the script

answer = (function() {

    try {

        // Always allow admins / HR admins
        if (gs.hasRole('admin') || gs.hasRole('sn_hr_admin')) {
            return true;
        }

        // Safety checks
        if (!current.subject_person) {
            return true;
        }

        // Get subject person's HR profil
        var hrProfile = new sn_hr_core.hr_Profile(new global.GlideRecordUtil().getGR('sys_user', gs.getUserID()), gs).getCurrentProfile(gs.getUserID());


        var employmentType = hrProfile.employment_type + '';
        var country = '';
        if (hrProfile.u_legal_entity && hrProfile.u_legal_entity.u_country)
            country = hrProfile.u_legal_entity.u_country; //isn't u_country a refernce field? looks like it is from the ACL description if yes replace the country value with sysid in the return statement



        return !(employmentType == 'subcontractor' || employmentType == 'Subcontractor') &&
            (country.name == 'Spain' || country == 'put the sysid of the contry here'); //replace with country sysid
    } catch (err) {
        gs.error('error occured ' + err)
    }


})();

also put logs in the script and see if are see any errors or logs

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

Medi C · 4 weeks ago

Hi @ghitabahaj,

Could you please check other Read ACLs on the table "sn_hr_le_case"?
Might be access is granted through other ACLs.

Thanks & Best regards,
Medi

ghitabahaj · 4 weeks ago

yes there are , but there are few that are OOB

and i've created this with that script but still nothing

(function () {

// Always allow admins / HR admins

if (gs.hasRole('admin') || gs.hasRole('sn_hr_admin')) {

return true;

}

// Must have a subject person

if (!current.subject_person) {

return true;

}

// If logged-in user is NOT the subject person → allow

if (current.subject_person.toString() !== gs.getUserID()) {

return true;

}

// Get SUBJECT PERSON HR profile

var hrProfile = new sn_hr_core.hr_Profile(current.subject_person, gs).getCurrentProfile();

if (!hrProfile) {

return true;

}

var employmentType = hrProfile.getValue('employment_type');

var country = '';

if (hrProfile.u_legal_entity && hrProfile.u_legal_entity.u_country) {

country = hrProfile.u_legal_entity.u_country.getDisplayValue();

}

// DENY: user viewing their own offboarding case

if (

employmentType === 'subcontractor' &&

country === 'Spain'

) {

return false;

}

return true;

})();