HRSD IT User Admin Limited Access

shelbyadams
Tera Contributor

I am tring to create a way for our IT team to have limited user_admin type access. They need to be able to update user records and roles, but not Groups. They can read groups, but not write. Main concern is that if they add themselves to one of the HR assignment groups they will then have access to HR data and cases. I also want to set it up so that they ONLY see the User Administration application menu and no others since they should only be working within that application. I am a bit lost where to start since this seems to touch every area and I keep falling down rabbit holes of ACLs. 

1 ACCEPTED SOLUTION

David Aldridge
Giga Guru

Adding people to groups with HR roles is restricted (OOTB) to users with the HR Admin role. Giving ITIL users user admin will not give them access to add users to HR groups unless they have the HR Admin role.

View solution in original post

3 REPLIES 3

David Aldridge
Giga Guru

Adding people to groups with HR roles is restricted (OOTB) to users with the HR Admin role. Giving ITIL users user admin will not give them access to add users to HR groups unless they have the HR Admin role.

tested this and it worked! thank you for this tip!

Sandeep Rajput
Tera Patron
Tera Patron

@shelbyadams You need to create a complete custom role in this case (user_admin_limited) and create and update ACLs on the sys_user, sys_user_group, sys_user_grmember tables around this new role. Assign this new role to your IT team and make sure to remove the existing roles related to user administration from their account, to restrict their visibility on modules, add this role on the User Administration application module. Make sure that this new role is not added on other modules. This way you will be able to limit their access on HR applications and groups.