how to restrict HR cases based on Case assignment group?

Go to solution
dileeppeddi1991
Kilo Contributor

‎03-13-2020 02:40 AM

Hi All, 

my requirement is to show the HR cases to the agents which belongs to Case assignment group.

scenario:

HRC1233562 is assigned to "Xyz" group.

HRC2324342 is assigned to "Qwerty" group.

HRC8954854 is assigned to "Test" group.

HRC1233562 should be visible to "Xyz" group and should not show to other groups. like wise for all HR cases to should show to Case assignment group members. this should be both in list view and form view.How can we restrict HR cases access or view by using assignment group?

Thanks in Advance!!

  • 5,358 Views
1 ACCEPTED SOLUTION

Go to solution
Michael Ritchie
ServiceNow Employee
ServiceNow Employee

‎03-13-2020 10:29 AM

As @michaelj.sheridan mentions the Orlando release better solves this out of the box, but you can get this going in NY as @David Dubuis mentions via query business rule.  While ACLs could handle this your users would have a poor user experience and be presented with "X number of records have been restricted from view" messages.

It is important to note that HRSD ships with several query business rules already named "restrict query".  These are there to restrict access to cases for general employees and NOT HR agents.  You can create a new one and I would recommend following the similar name as I called it Restrict query Agents:

find_real_file.png

 

Then on the advanced tab set the condition to:

gs.isInteractive() && new hr_Utils().checkUserHasRole("sn_hr_core.basic") && !new hr_Utils().checkUserHasRole("sn_hr_core.admin")

This query will only fire with an "interactive" session meaning using the UI versus an interface- this is important for integrations and other background processes querying for cases.  Then it checks to see if the user HAS the sn_hr_core.basic user and does NOT have the sn_hr_core.admin role.  This way admin's can still query for all cases.

Then set the script to the following:

(function executeRule(current, previous /*null when async*/) {
	current.addQuery("assignment_group", "javascript:getMyGroups()");
})(current, previous);

 

This will insert a behind the scenes query of assignment group matching any group that the logged in user is a member of.

 

Remember that this query can and will fire for every single query to the HR Case table.  So regression testing is super important!

 

Please mark this post as helpful or the correct answer if applicable so others viewing may benefit.

View solution in original post

Preview file
47 KB
21 REPLIES 21

Go to solution
Michael Ritchie
ServiceNow Employee
ServiceNow Employee
In response to kumar37

‎03-16-2020 07:06 AM

Kumar, happy to help.  To mark an answer correct, please see this How To article:

https://community.servicenow.com/community?id=community_article&sys_id=b64d6229dbd0dbc01dcaf3231f961...

0 Helpfuls

Go to solution
Mrman
Tera Guru
In response to Michael Ritchie

‎04-21-2020 05:23 AM

Hi @Michael Ritchie ,

I have a similar requirement to Hide the HR cases based on a field selected by agent .I am struggling to achieve this , could you please help me doing this .I have mentioned that details and Query business rule i created in this link

0 Helpfuls

Go to solution
Rob Sestito
Mega Sage
In response to Michael Ritchie

‎04-21-2020 07:06 AM

Hello there @Michael Ritchie - this script works very well. However, can you maybe help me take this a step further? I have the same(ish) requirements - but need to still allow the person in a different assignment group, to read/write to a case when they are the Requestor or Opened By person.

Here is where my post is trying to figure this out: Business Rule/ACL Script Help

Are you able to assist me on this? Short story is: Our HRBPs open cases themselves, and when they do, the case is opened directly to our Employee Resource Center (ERC), which is a group that the HRBPs are NOT a part of. So the BR I currently have blocks them from seeing the cases they just created (until the ERC team moves it back to them).

From the BR you have here, what can be added to allow the Requestor/Opened By - while in a different group - still have access to the case?

Much appreciated if you are able to assist - and if any other information is needed on my requirement, please let me know (through my post so that I can give credit where credit is due).

Thank you!

-Rob

0 Helpfuls

Go to solution
vitthal2
Giga Contributor
In response to Michael Ritchie

‎12-18-2020 04:38 AM

Hi Michael,

 

I am using same query but no assignment groups are getting using following script

current.addQuery("assignment_group", "javascript:getMyGroups()");

Can you please help me?

0 Helpfuls

Go to solution
mahesh92
Tera Contributor
In response to Michael Ritchie

‎09-28-2021 11:45 AM

Hi,

 

I want this logic to run only when the particular HR Service = 'XYZ' This should not trigger for the other HR Services. 

I did added the filter when HR Service = 'XYZ' on 'when to run' tab. Its not working.

I need  your help, how to make the below script to run only on that one HR service.

 

Condition:

gs.isInteractive() && new hr_Utils().checkUserHasRole("sn_hr_core.basic")  && !new hr_Utils().checkUserHasRole("sn_hr_core.admin")&& !new hr_Utils().checkUserHasRole("sn_hr_core.catalog_security")

 

Script:

(function executeRule(current, previous /*null when async*/ ) {
current.addQuery("opened_for", gs.getUserID()).addOrCondition("assignment_group", gs.getUser().getMyGroups());

})(current, previous);

 

 

 

Thanks,

Mahesh.

0 Helpfuls