how to restrict HR cases based on Case assignment group?

Go to solution
dileeppeddi1991
Kilo Contributor

‎03-13-2020 02:40 AM

Hi All, 

my requirement is to show the HR cases to the agents which belongs to Case assignment group.

scenario:

HRC1233562 is assigned to "Xyz" group.

HRC2324342 is assigned to "Qwerty" group.

HRC8954854 is assigned to "Test" group.

HRC1233562 should be visible to "Xyz" group and should not show to other groups. like wise for all HR cases to should show to Case assignment group members. this should be both in list view and form view.How can we restrict HR cases access or view by using assignment group?

Thanks in Advance!!

  • 5,359 Views
1 ACCEPTED SOLUTION

Go to solution
Michael Ritchie
ServiceNow Employee
ServiceNow Employee

‎03-13-2020 10:29 AM

As @michaelj.sheridan mentions the Orlando release better solves this out of the box, but you can get this going in NY as @David Dubuis mentions via query business rule.  While ACLs could handle this your users would have a poor user experience and be presented with "X number of records have been restricted from view" messages.

It is important to note that HRSD ships with several query business rules already named "restrict query".  These are there to restrict access to cases for general employees and NOT HR agents.  You can create a new one and I would recommend following the similar name as I called it Restrict query Agents:

find_real_file.png

 

Then on the advanced tab set the condition to:

gs.isInteractive() && new hr_Utils().checkUserHasRole("sn_hr_core.basic") && !new hr_Utils().checkUserHasRole("sn_hr_core.admin")

This query will only fire with an "interactive" session meaning using the UI versus an interface- this is important for integrations and other background processes querying for cases.  Then it checks to see if the user HAS the sn_hr_core.basic user and does NOT have the sn_hr_core.admin role.  This way admin's can still query for all cases.

Then set the script to the following:

(function executeRule(current, previous /*null when async*/) {
	current.addQuery("assignment_group", "javascript:getMyGroups()");
})(current, previous);

 

This will insert a behind the scenes query of assignment group matching any group that the logged in user is a member of.

 

Remember that this query can and will fire for every single query to the HR Case table.  So regression testing is super important!

 

Please mark this post as helpful or the correct answer if applicable so others viewing may benefit.

View solution in original post

Preview file
47 KB
21 REPLIES 21

Go to solution
Dubz
Mega Sage

‎03-13-2020 03:15 AM

You can use a before query rule to restrict what the users see. For example, the below will add a condition to any table queries for users that are a member of Group1 that the assignment group=sys id of group 1, so they will only be shown those records.

if(gs.getUser().isMemberOf('Group1')){
current.addQuery('assignment_group', <sys id of assignment group>);
}

 

0 Helpfuls

Go to solution
dileeppeddi1991
Kilo Contributor
In response to Dubz

‎03-13-2020 03:33 AM

1) is this business rule condition will restrict the records in list view? 

2) suppose if agents search with case number in global search, will they able to see the records?

 

Thanks in advance!!

Dileep

 

0 Helpfuls

Go to solution
Dubz
Mega Sage
In response to dileeppeddi1991

‎03-13-2020 03:47 AM

As per the name, before query rules run before a table query is submitted. Whether checking a list view or searching for a specific case, the query rule will add whatever conditions are defined within it.

So, if you have restricted a user to see only cases assigned to their group, they will only see those cases in the list view and if they search for a specific case that is not assigned to their group, the search will not return any records.

0 Helpfuls

Go to solution
Mrman
Tera Guru
In response to dileeppeddi1991

‎03-13-2020 03:54 AM

Hi ,

For this requirement you can create ACL on the specific COE and make sure to check the condition in script for members of assignment group having 'sn_hr_core.basic' role . You may have to create a custom role .

It's better to use ACLs, but if want some other alternative....you can create a new module to get cases assigned to loggedin users group : 

Navigate to modules under system definition > create a new module >

Name : Assigned to My Groups

Filter : Assignment group : is(dynamic) : one of my groups.

Table : Table name (COE)

Link Type : List of records

Arguments : &sysparm_fixed_query=active=true // shows only active records and doesn't let to click all records from list view.

You can also specify roles under Visibility section.

0 Helpfuls