How to restrict HR Tasks if the parent HR Case is already restricted by CEO Security Configuration

Don Dom · ‎12-08-2023

Hello.

We have very strange case and looks like OOTB ACL's for "sn_hr_core_task" do not work as they should.

The case is:

It should work as this:

User working with "HR Agent Workspace > opening Lists > HR Tasks > All" is not able to enter any Task (HRT* record) for which parent (HRC* record) is already restricted via COE Security Configuration.

Example from TEST:

Unfortunately it's not working:

User is not able to enter HRC (case) because security prevent it - this is OK but he IS ABLE to enter corresponding TASK which is KO (wrong)

Ex: he is NOT able to enter HRC0001356 (OK) BUT he is ABLE to enter task HRT0001925 and see everything what is WRONG (KO)

System is OOTB - no customisation here:

We were trying to modify those ACL's based on group's and CEO - no success.

COE: sn_hr_core_case_benefits

COE: sn_hr_core_case_global_mobility

COE: sn_hr_core_case_operations

COE: sn_hr_core_case_payroll

COE: sn_hr_core_case_talent_management

COE: sn_hr_core_case_total_rewards

COE: sn_hr_core_case_workforce_admin

Any one got similar issues? How to restricts TASKS if the CASE's are already restricted vie COE Security Configuration:)

Please advise 🙂

Sandeep Rajput · ‎12-09-2023

@Don Dom Usually the access to the HR Tasks are not governed via COE ACLs defined on the HR Case, it is due to the fact that HR Tasks can be assigned to individuals who may not have access to the parent HR Case (a task assigned to a person working with IT Infra team or a person from the facility team).

If you wish to keep the access of the HR Tasks only to the people having access to parent HR case then you need to identify the ACLs on HR Tasks which are granting the read access to other users who do not have access to parent case and in the script field of those ACLs you can check the following.

if(current.parent.canRead()){
answer=true;
}
else{
answer=false;
}

Hope this helps.