HRSD Changing which records appear on To-Dos under My Requests

User186043 · ‎04-09-2024

Does anyone have any experience with the To-Dos under My Requests in standard ESC portal, as this appears to be baked into the Widget and doesn't respect any of the Standard Ticket, (standard) To-dos or HRSD To-dos configuration.

The issue here is the All To-dos section under the Tasks To-Dos shows all Tasks to the user, regardless of what these are. So internal HRT records and Child Case relationships are shown to the user where they are not the assignee or the opened for. The Subject Person's manager seems to get pretty broad access to Cases about their employees.

This seems wrong and more like ITSM so investigating it with ServiceNow, but wondering if anyone else has any experience with this.

To clarify, this isn't so much of a security question as a configuration of the portal question.

Screenshot below is a Core Case (sn_hr_core_case) with no modified security configuration from the employee view. The employee has ITIL. They can see their own case, expected. They can see a Child Task, not expected as it's internal and not assigned to them. They can see a Child Case which isn't against them in any sense (no opened for, opened by, subject person), worse in the screenshot example, the employee's manager is the Opened For, Subject of the Child Case.

Sabrina Ethridg · ‎04-10-2024

It is OOB behavior the the Opened For person can see the Child Tasks and Child Cases. The Subject Person shouldn't have access to the case unless the 'Allow subject person access' box is checked on the HR Service Record. Is the manager in the watchlist of the case? That could have given them access to see the case, if your my request filters were modified to show cases where the logged in user is in the watchlist.

Look at the canReadCase and canEditCase functions of the hr_Case script include and the canEditTask function of the hr_Task script include to see all of the security variations that apply to HR Cases and its child records.