Restrict HRTask to Assignment Group and Parent>HR Case Assignment Group

Jeff137 · ‎10-08-2023

To my understanding, there is a complex set of business rules, script includes and ACLs managing access within HRSD. I've taken a couple dives but been unable to decipher thus far. Therefore I am seeking advice on how to achieve the following requirement while minimising impact to OOB configuration.

Restrict HR Task access to members of the assignment group and/or assigned to and members of the parent HR Case assignment group.

Example:

HRC0000001 is assigned to HRGroupA.
HRT0000001 is assigned to HRGroupB.
HRT0000002 is assigned to HRGroupC.
HRT0000001 is a child of HRC0000001.
HRT0000002 is a child of HRC0000001.
HRGroupA and HRGroupB can access HRT0000001.
HRGroupA and HRGroupC can access HRT0000002.
HRGroupB cannot access HRT0000002.
HRGroupC cannot access HRT0000001.

Allen Andreas · ‎10-09-2023

Hi,

The remaining two options were ACLs and a query business rule, both of which are standard platform features. I'm unsure what type of assistance you may need for working with these, but I'll list the documentation as such:

Additionally, you should be able to view other query business rules on your instance as they're used in other parts of the platform and in those records, you'll see example script, etc. Let us know if you have additional questions after you've reviewed the above and perhaps gave it a shot?

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

View solution in original post

Allen Andreas · ‎10-08-2023

Hi,

For HR, there's the recommended path to using COE Security as the form of restricting access, but, if you're simply trying to control this by the assignment group, instead of COE, then you'll most likely need to review your ACLs.

Firstly, you'll need to look at who can read what today. Then, consider deactivating those (unless you want to change them, but deactivating is "cleaner" than changing them). Then, create appropriate ACLs per your needs. Additionally, you'll want to review if there are any "query" business rules for the related table(s). If so, consider deactivating and creating new with the criteria needed to help hide the records and hide the message "security prevents row from displaying" message.

Alternatively, if everyone has access to these records already (meaning HR access isn't an issue in general -- and it's more so the fact that you want to restrict as the least intrusive action), then consider focusing solely on the "query" business rule route.

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Jeff137 · ‎10-08-2023

Thank you @Allen Andreas for your response. From what I can see, the COE Security Configuration options doesn't cover HR Tasks. In this requirement, my primary concern is restricting HR Task access to the group/individual it is assigned to and the parent HR Case assignment group.

Allen Andreas · ‎10-08-2023

Hi,

The mention of COE was just in general for HR, if it applies now or in the future. In your case, with tasks, I would proceed with one of the 2 remaining options I had listed.

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Jeff137 · ‎10-08-2023

Thank you for the clarification. Is there any SN documentation you can recommend to use as guidelines for the process?