How are client roles (ex: sn_hr_sp.hrsp_employee) getting access to their HR case requests on portal

MadaraUchiha · ‎08-11-2023

Hi,

Can anyone tell me how an end user with "sn_hr_sp.hrsp_employee" role is getting read access to his HR Workforce Administration case request on ESC portal under "My Requests" cause the read ACL on "sn_hr_core_case_workforce_admin" is checking for "sn_hr_core.case_reader" role.

Also he is able to see the this Hr case in native UI as below

And below is the only read ACL on"sn_hr_core_case_workforce_admin"

Also there is some inconsistency with different COE in HR. For ex: The same end user is not able to see his HR case ("sn_hr_core_case") on ESC portal under my requests but he his able to see that case in native view as below

There is also one read ACL on "sn_hr_core_case" where they are checking for Case Reader role.

So not sure how end user is getting the access to it.

Checked with security debugging and saw that they are getting field level access but couldn't find table level access.

Ps: This is on my PDI and I have attached all the ss in attachment.

Willem · ‎08-14-2023

Hi MadaraUchiha,

Can you review this article I created: https://www.servicenow.com/community/hrsd-articles/hr-security-evaluation-acl-s-and-coe-security-pol...
It contains a logical representation of the ACL and script evaluation. It shows that in your case the End user is evaluated as the Employee and is granted access based on that.

The script include shows in the code:

If the article or this reply is helpful, please mark this answer as correct. Marking the Article as Helpful will be highly appreciated as well.

Let me know if this helps 🙂

MadaraUchiha · ‎08-17-2023

Hi Willem,

The article says if a user doesn't have HR roles then system will directly give access to HR case if he is a subject person. But how is system giving access to subject person? Cause there are no ACL giving access to people without HR role.

Also in our sub-prod instances, client roles don't have access to their HR cases on portal. So does that mean client roles get access to their HR cases only on PROD instances and PDI?

Willem · ‎08-17-2023

Hi MadaraUchiha,

"Cause there are no ACL giving access to people without HR role." Yes there is. The screenshot of the script include is the script include called by the HR Case ACL.

"Also in our sub-prod instances, client roles don't have access to their HR cases on portal. So does that mean client roles get access to their HR cases only on PROD instances and PDI? " This is not expected/Out of the Box behavior. If you are the Opened by, Opened for, on the Watch list. etc (refer to the article) you should see the HR Case, as you are either the person that created the case and it is your own case, or you are for example a manager or person that is added to the Watchlist to see (watch) the case.
This is not depended on Production or non-production environments. And you can reproduce the behavior as described in my article on your PDI. If this is different on your company instances, please check for customization.

Additional question: are you testing this behavior by Impersonating? If so, try logging in with user credentials and test instead. It might have to do with the "glide.sys.log_impersonation"-property I describe in paragraph 5 here:
https://www.servicenow.com/community/hrsd-articles/hr-security-setup-hr-admin/ta-p/2310649

(if that article is helpful, please mark it helpful as well😋)