How do you grant case read access to Group Managers without making them group members?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
In the COE Security Policy, it is possible to grant access permissions at the group level.
Users who belong to the group get the permissions, but group managers do not get any permissions by default.
One idea is to customize the ACL scripts that reference the COE Security Policy so that group managers are also granted access.
However, I would like to know how others are handling this situation.
Here is our specific need:
Group managers should:
- Monitor operational health using the HR Manager Dashboard
- Review HR cases when there are issues
- Follow up with their group members
They need read-only access to HR cases, but they should not be assigned to cases.
If we add group managers to the group as members, cases may be automatically assigned to them by auto-assignment rules.
Because of this, we do not want to add them as group members.
However, due to the current behavior of the COE Security Policy, group managers cannot access the cases at all.
How are you addressing this requirement?
Any best practices or design patterns would be appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi @Kohei Tominaga1 ,
Even i faced this issue!!
Firstly, we should have a clear idea that, Access and Assignement are two diffrent things.
What i did was i separated the way for Assignment Group and Group who manages . I created a parallel group with similar Structure as Operational Group which was used for Assignment , just for access purpose.
Added members to this new group and finally assigned this group to COE Security Policy with Read access. And never used this group for any kind of assignment.
Sandeep Dutta
Please mark the answer correct & Helpful, if i could help you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi, @sandeepdutt
Thank you for sharing your experience!
So, you created two groups for each team like below, correct?
HR Payroll for assignment - HR Payroll team member only
HR Payroll for Access - HR Payroll team member & HR payroll manager
HR Benefit for assignment - HR Benefit team member only
HR Benefit for Access - HR Benefit team member & HR payroll manager
etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
It will definitely work 😀
Sandeep Dutta
Please mark the answer correct & Helpful, if i could help you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi,
A few approaches to consider:
Option 1: Separate Read-Only Group Create an HR Cases - Manager View group with read-only ACLs. Add managers here to give them visibility without triggering assignments.
Option 2: Custom Viewer Role Create an hr_case_manager_viewer role with read ACLs on HR cases. Assign to managers and exclude this role from your assignment rules.
Option 3: Modify Assignment Rules Keep managers in the group but add a condition to exclude them from auto-assignment, like checking a manager flag or specific role.
Recommendation: Option 1 is simplest and keeps assignment logic clean. Option 2 works well if managers span multiple teams.
What does your current assignment rule logic look like?
If my response helped, mark as helpful and accept the solution!
