HR Survey: Question Text no visible for user with sn_hr_core.basic role

Lukasz Bojara
Kilo Sage

‎06-17-2024 02:34 AM

Hey everyone,

 

I need some help with a survey issue.

 

I have a survey that is sent to users during the progress of an HR case, and it's all set up in the Human Resources: Core scope. Users with the sn_hr_core.basic role should be able to see the responses, but the problem is that they can't see the question text (just the responses). I found out that there's an ACL on the asmt_metric table allowing read access for records in asmt_metric for the HR Core basic role. However, the ACL has a data condition based on the sys_scope field, which users with this role can't read. So, even though they have the right role, the ACL won't work because it's based on a field that only specific users have access to.\

 

LukaszBojara_0-1718616677053.png

 

LukaszBojara_1-1718616726260.png

 

 

Questions:

  1. Should I create another ACL for the sys_scope field to fix this?
  2. Do you have any other ideas on how to resolve this?
  3. Overall question to original set-up: Why add an ACL that won't work for users who should have access?

 

And just to clarify: Yes, it needs to be in the HR: Core scope.

 

Thanks for any advice!

0 Helpfuls
  • 602 Views
3 REPLIES 3

Paul Curwen
Giga Sage

‎06-17-2024 08:05 AM - edited ‎06-17-2024 08:07 AM

The Survey table structures are always a pain 😀

 

Couple of questions: 

1. Can an admin see them? (presuming yes and if so it will be ACL related)

2. Have you checked https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0714114

 

  • Table asmt_assessment_instance stores the surveys.
  • Table asmt_metric_result stores the survey answers.
  • Table asmt_metric stores the actual definition of the questions.

 

Your ACL above looks correct to me, but try using Access Analyzer for an easy way of identifying why a particular user cannot see a question. Or, if you want to do it the old fashioned way 😉 just turn Security Debugging on, Impersonate the affected user and open up the asmt_assessment_instance table and inspect the debugging output for the culprit

 

***If Correct/Helpful please take time mark as Correct/Helpful. It is much appreciated.***

Regards

Paul
0 Helpfuls

Lukasz Bojara
Kilo Sage
In response to Paul Curwen

‎06-17-2024 11:56 PM

Hi Paul,

 

Thank you for your reply. I have already done the analysis. This is why I have written that the original ACL has a condition set to check the sys_scope in metadata. But only admins are allowed to read this information. That is the reason for the message that part of the query will be ignored, the user does not have permissions to read the information that is needed for this ACL evaluation. 

0 Helpfuls

Wessel van Enk
Tera Guru
Tera Guru

‎06-18-2024 12:50 AM

Hello,

As the fields on the asmt_metric table are created in Global scope, the read access sometimes also needs to be defined in Global scope. Did you try that? 

It would then look like this:

Wessel_0-1718697010650.png

 

0 Helpfuls