sn_hr_core_case_workforce_admin READ ACL blocks Case if related subject person is inactive

Go to solution
Julia Baus
Tera Expert

‎06-26-2025 06:39 AM

We have the following setup:

OOTB sn_hr_core_case_workforce_admin Allow If Read ACL which applies to snc_internal and evaluates canReadCase in the script part.

On top we have a COE policy checking the company of the subject person and grants one of our agent groups access to the case based on the company of the subject person having a certain ID. 

 

It works fine in all use cases where subject person is active. When I set the active flag of the sys_user record of the subject person to false, the agents from the group can no longer see the cases for that subject person although they were able to see it while user was still active. 

I didn't find any condition anywhere checking for subject person to be active for allowing read access to the case.

Only idea I had is that the COE policy check in canReadCase fails when checking for company ID of inactive user (but I checked and the ID is still filled, even for inactive users).

 

Anyone has seen this behavior before and any idea?

0 Helpfuls
  • 332 Views
1 ACCEPTED SOLUTION

Go to solution
Mark Manders
Mega Patron

‎06-26-2025 06:52 AM

You need to check on the User Query BR. That states that only admins can see inactive users (OOB). And because your agent isn't allowed to see the inactive user record, it can't validate it's company and doesn't get access.

On the other hand: why do you have open Cases for inactive users? Shouldn't you just close those?


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

View solution in original post

3 REPLIES 3

Go to solution
Mark Manders
Mega Patron

‎06-26-2025 06:52 AM

You need to check on the User Query BR. That states that only admins can see inactive users (OOB). And because your agent isn't allowed to see the inactive user record, it can't validate it's company and doesn't get access.

On the other hand: why do you have open Cases for inactive users? Shouldn't you just close those?


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

Go to solution
Julia Baus
Tera Expert
In response to Mark Manders

‎06-26-2025 06:58 AM - edited ‎06-26-2025 06:59 AM

Hi Mark,

thanks for your comment. So you mean the COE policy check runs in the context of the agent accessing the case instead of the system checking whether the COE policy evaluates to true? That would indeed explain the behavior then, but is different then to how an ACL evaluates the access to my experience. Is there anywhere where I can read more details on how this exactly happens?

 

The reason here is that sometimes the agents forget to close a case in time or a user leaving the company on short notice and then we have orphaned cases that only admins can close which we would want to prevent

0 Helpfuls

Go to solution
Mark Manders
Mega Patron
In response to Julia Baus

‎06-26-2025 11:51 PM

Everything is evaluated. ACLs, Policies AND the query BRs. These just say: these records don't exist for you. So any policy/acl or whatever that is trying to do something with inactive users, can't do that, because the user can't see the record, so it can't query to it.

Everything runs based on the agent. If the COE policy allows the agent to see the record, still the ACLs and Query BRs and everything else is evaluated to see if the data is accessible. In this case it's your COE policy that can't return 'true', because the user record can't be read by the agent, due to the query BR. And there's no way around that besides updating the BR to allow access to inactive users for certain roles/groups.


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark