how to restrict HR cases based on Case assignment group?

dileeppeddi1991 · ‎03-13-2020

Hi All,

my requirement is to show the HR cases to the agents which belongs to Case assignment group.

scenario:

HRC1233562 is assigned to "Xyz" group.

HRC2324342 is assigned to "Qwerty" group.

HRC8954854 is assigned to "Test" group.

HRC1233562 should be visible to "Xyz" group and should not show to other groups. like wise for all HR cases to should show to Case assignment group members. this should be both in list view and form view.How can we restrict HR cases access or view by using assignment group?

Thanks in Advance!!

Michael Ritchie · ‎03-13-2020

As @michaelj.sheridan mentions the Orlando release better solves this out of the box, but you can get this going in NY as @David Dubuis mentions via query business rule. While ACLs could handle this your users would have a poor user experience and be presented with "X number of records have been restricted from view" messages.

It is important to note that HRSD ships with several query business rules already named "restrict query". These are there to restrict access to cases for general employees and NOT HR agents. You can create a new one and I would recommend following the similar name as I called it Restrict query Agents:

Then on the advanced tab set the condition to:

gs.isInteractive() && new hr_Utils().checkUserHasRole("sn_hr_core.basic") && !new hr_Utils().checkUserHasRole("sn_hr_core.admin")

This query will only fire with an "interactive" session meaning using the UI versus an interface- this is important for integrations and other background processes querying for cases. Then it checks to see if the user HAS the sn_hr_core.basic user and does NOT have the sn_hr_core.admin role. This way admin's can still query for all cases.

Then set the script to the following:

(function executeRule(current, previous /*null when async*/) {
	current.addQuery("assignment_group", "javascript:getMyGroups()");
})(current, previous);

This will insert a behind the scenes query of assignment group matching any group that the logged in user is a member of.

Remember that this query can and will fire for every single query to the HR Case table. So regression testing is super important!

Please mark this post as helpful or the correct answer if applicable so others viewing may benefit.

View solution in original post

dileeppeddi1991 · ‎03-13-2020

all assignment groups members will be having sn_hr_core.basic role.

but with other modules they will be able to see and also with case number they can search.

Dubz · ‎03-13-2020

If you want to restrict access to CRUD actions on tables or fields on tables then ACL's are the way to go. If you need to restrict access to subsets of records within a table the before query business rules are what you need.

https://docs.servicenow.com/bundle/orlando-platform-administration/page/administer/company-and-domai...

dileeppeddi1991 · ‎03-13-2020

am sorry confusing. i have updated the description. could you please check and help me.

Dubz · ‎03-13-2020

So you want users to only see cases that are assigned to their group and no others?

If so, the before query rule is the solution you need. The code i posted above is an example of what a before query rule might look like, not the exact solution to your requirement.

Parik Narain · ‎03-13-2020

Hi

Are you familiar with the concept of HR Centre of excellence (COE) within the HR application ? Its important to understand the HR operating model and how the services are categorised amongst COEs, before embarking on customising anything.

The COE model is meant to restrict data/cases between HR functions, and is available out of the box.The COE data model further allows you to limit access to sensitive information, promote consistency for metrics and reporting, and help drive automation by defining the request to fulfillment process at the HR service level.

I would question why this wouldn't solve your requirements. Let me know..

-Parikshit