Security issue while adding/removing users from HR group via Flow

Prajakta Kokse · 3 weeks ago

Hi all,

I have a catalog item attached to an HR service for Add/Remove users from HR groups. After HR case approval, my Flow should add/remove the user from the HR group.

Initially, when running as System User, the Flow was erroring out due to security restrictions.

To fix this, I tried using “Run with roles” and added the assignable role of the HR-scoped group roles.

For groups where the attached role has a valid Assignable by value, the Flow works fine.

The issue is with HR-scoped roles where Assignable by = empty. Even after Run with roles, the Flow fails with a security restriction while creating/deleting the sys_user_grmember record.

What I’ve tried so far:

Running the Flow as System User → failed due to security restriction.
Running with Run with roles and adding assignable roles → works only when “Assignable by” is populated.
Using a Business Rule to insert/delete sys_user_grmember → still blocked by the same restriction.

Has anyone faced this scenario? What’s the recommended best practice to manage HR group membership when the group’s role has no value in Assignable by?

Thanks in advance!

RaghavSh · 3 weeks ago

Do you see any "invalidated or requested" records in "sys_restricted_caller_access" table for your application.

What is the scope of your flow?

Raghav
MVP 2023
LinkedIn

Bhuvan · 3 weeks ago

@Prajakta Kokse

Issue is most likely due to restricted caller access.

Check below knowledge article for more information

https://noderegister.service-now.com/kb?id=kb_article_view&sysparm_article=KB0960942

See if there is any request from Flow Designer for the target table and allow the request [status = allowed] and try the flow again.

As per community guidelines, you can accept more than one answer as accepted solution. If my response helped to answer your query, please mark it helpful & accept the solution.

Thanks,

Bhuvan

Bhuvan · 3 weeks ago

@Prajakta Kokse

Below is the cross scope application access for sys_user_grmember table. 'Can Delete' is by default not allowed for scopes outside the global application scope. Try to provide 'Can Delete' option and test in Sub-Production instance

Alternate option is to see if you can create the flow in global scope and give necessary permissions to HR scope.

As per community guidelines, you can accept more than one answer as accepted solution. If my response helped to answer your query, please mark it helpful & accept the solution.

Thanks,

Bhuvan

Prajakta Kokse · 3 weeks ago

@Bhuvan @RaghavSh

Thanks for the suggestion. I did check if there are any Restricted Caller Access requests for Flow Designer, but I don’t see any in this case.

Also, just to clarify:

My Flow is currently configured in the Human Resources Core scope.

I also tested by creating the Flow in the Global scope, but the issue with adding/removing users from HR groups still persists.