Security issue while adding/removing users from HR group via Flow

Prajakta Kokse
Tera Contributor

6 hours ago

Hi all,

I have a catalog item attached to an HR service for Add/Remove users from HR groups. After HR case approval, my Flow should add/remove the user from the HR group.
 
Initially, when running as System User, the Flow was erroring out due to security restrictions.
 
To fix this, I tried using “Run with roles” and added the assignable role of the HR-scoped group roles.
For groups where the attached role has a valid Assignable by value, the Flow works fine.
 
The issue is with HR-scoped roles where Assignable by = empty. Even after Run with roles, the Flow fails with a security restriction while creating/deleting the sys_user_grmember record.
 
What I’ve tried so far:
  • Running the Flow as System User → failed due to security restriction.
  • Running with Run with roles and adding assignable roles → works only when “Assignable by” is populated.
  • Using a Business Rule to insert/delete sys_user_grmember → still blocked by the same restriction.
 
Has anyone faced this scenario? What’s the recommended best practice to manage HR group membership when the group’s role has no value in Assignable by?
 
Thanks in advance!

 

0 Helpfuls
  • 410 Views
3 REPLIES 3

RaghavSh
Kilo Patron

5 hours ago

Do you see any "invalidated or requested" records in "sys_restricted_caller_access" table for your application.

 

What is the scope of your flow?


Raghav
MVP 2023
0 Helpfuls

Bhuvan
Kilo Patron

3 hours ago

@Prajakta Kokse 

 

Issue is most likely due to restricted caller access.

 

Check below knowledge article for more information

 

https://noderegister.service-now.com/kb?id=kb_article_view&sysparm_article=KB0960942

 

See if there is any request from Flow Designer for the target table and allow the request [status = allowed] and try the flow again.

Bhuvan_0-1757783747835.png

As per community guidelines, you can accept more than one answer as accepted solution. If my response helped to answer your query, please mark it helpful & accept the solution.

 

Thanks,

Bhuvan

0 Helpfuls

Bhuvan
Kilo Patron
In response to Bhuvan

2 hours ago

@Prajakta Kokse 

 

Below is the cross scope application access for sys_user_grmember table. 'Can Delete' is by default not allowed for scopes outside the global application scope. Try to provide 'Can Delete' option and test in Sub-Production instance

Bhuvan_0-1757784575594.png

 

 

Alternate option is to see if you can create the flow in global scope and give necessary permissions to HR scope.

 

As per community guidelines, you can accept more than one answer as accepted solution. If my response helped to answer your query, please mark it helpful & accept the solution.

 

Thanks,

Bhuvan

0 Helpfuls