HR COE security policy VS ACL

Vijay Baokar
Kilo Sage

Hello Folks,

 

I have a scenario where an HR case HRC121 is created on "sn_hr_core_case_benefits" table and the case is assigned to "US Benefits" and i have another group "IND Benefits".

Now members from "IND Benefits" should not have read access or visibility to case HRC121.

is it supposed to be handled via COE security policy or ACL ?

If we write an ACL then it should be on "sn_hr_core_case_benefits" or "sc_hr_core_case" table with condition Assignment group is Dynamic to one of my assignment groups.

 

Basically group member should have access to only those cases if its assigned to their group , irrespective of Table and HR services.

1 ACCEPTED SOLUTION

Wessel van Enk
Tera Guru
Tera Guru

Hi Vijay,

Within the HR scopes, the COE policies are the way to go for these things.
You can setup a Read COE Sec Policy on the Benefits COE with the condition ''Assignment Group = {Dynamic} One of my Groups. But do not forget to add the group into the list of groups in the policy 😉

This way the platform checks if you are a member of the current assignment group of the case, if so, you can read it, otherwise they cannot. This should fix the issue. You can always add ACL's later on if you need any more detailed or heavy condition restrictions.

Wessel_0-1718284163477.png

 

View solution in original post

2 REPLIES 2

Yashsvi
Kilo Sage

Hi @Vijay Baokar,

please check below link:

 

https://www.servicenow.com/community/hrsd-articles/hr-security-evaluation-acl-s-and-coe-security-pol...

 

Thank you, please make helpful if you accept the solution.

Wessel van Enk
Tera Guru
Tera Guru

Hi Vijay,

Within the HR scopes, the COE policies are the way to go for these things.
You can setup a Read COE Sec Policy on the Benefits COE with the condition ''Assignment Group = {Dynamic} One of my Groups. But do not forget to add the group into the list of groups in the policy 😉

This way the platform checks if you are a member of the current assignment group of the case, if so, you can read it, otherwise they cannot. This should fix the issue. You can always add ACL's later on if you need any more detailed or heavy condition restrictions.

Wessel_0-1718284163477.png