- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-01-2024 10:30 AM
I only see a delete ACL OOB for HR group members where Group is 'HR' or Group.parent = HR. My user has user_admin role and sn_hr_core.manager roles where the latter was specified in the ACL delete OOB. Still it can't delete the record from group member table when the group is HR or Group.parent = HR. I tried to disable the ACL but same thing. I notice when this user opens the GROUP, the group is READ only. So i created a write ACL with the same condition and group as the delete, SAME THING. The group remains READ only. What else is restricting HR groups aside from ACLs?
I built a flow designer to remove members from HR groups and getting security issues using this API user. I want to avoid adding the sn_hr_core.admin role to achieve this. If i switch to 'system user' on the flow, same thing.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-04-2024 12:56 AM
I received a solution from ServiceNow by adding a script step in the flow designer before the modification of the record, to impersonate a super user who should have the hr admin role. This works perfectly!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-01-2024 11:06 PM
I don't know the specific ACL details, but any group that confers HR privileges can only be changed by the HR Admin role. This is fundamental to the security of the HRSD application and should not be changed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-01-2024 11:09 PM
If I can't give this API user the hr admin role, how do we provide this role to 'System User' on flow designer executions?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-02-2024 05:49 AM
I think, this is technically impossible. Every time you try to do something "HR specific" you also get an error that says something like "you are doing this with a blacklisted role ..." (cannot remeber the exact wording).
In principle: "System User" does not have full HR access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-02-2024 05:48 AM
There is no way to use the Flow Designer (as of Washington DC) to add / remove users from any HR related group without HR permissions.
We had a similar scenario where we wanted to create a Catalog Item which allows users to - temporary - get the HR Admin role assigned. This was before this feature has been released: https://www.servicenow.com/community/now-platform-articles/washington-s-time-limited-user-roles/ta-p....
How we have overcome that issue?
- We created a Catalog Item where the end-user can request access to a group
- This Catalog Item fires a flow that handles approvals etc. and triggers an event
- The triggered event starts a scheduled job which does the adding / removing of the users
- The scheduled job runs as a particular user which has both admin and hr admin access
Hope that helps.
Cheers,
Julian
