What restricts HR groups from non HR roled users?

ge3 · ‎07-01-2024

I only see a delete ACL OOB for HR group members where Group is 'HR' or Group.parent = HR. My user has user_admin role and sn_hr_core.manager roles where the latter was specified in the ACL delete OOB. Still it can't delete the record from group member table when the group is HR or Group.parent = HR. I tried to disable the ACL but same thing. I notice when this user opens the GROUP, the group is READ only. So i created a write ACL with the same condition and group as the delete, SAME THING. The group remains READ only. What else is restricting HR groups aside from ACLs?

I built a flow designer to remove members from HR groups and getting security issues using this API user. I want to avoid adding the sn_hr_core.admin role to achieve this. If i switch to 'system user' on the flow, same thing.

ge3 · ‎07-04-2024

I received a solution from ServiceNow by adding a script step in the flow designer before the modification of the record, to impersonate a super user who should have the hr admin role. This works perfectly!

View solution in original post

ge3 · ‎07-04-2024

I received a solution from ServiceNow by adding a script step in the flow designer before the modification of the record, to impersonate a super user who should have the hr admin role. This works perfectly!

JulianLemcke · ‎07-04-2024

Can you share what they have shared with you? Or did they simply share with you to use "session.onlineImpersonate("YOURSPECIALUSER")" or via "GlideImpersonate"?

ge3 · ‎07-04-2024

Create an action script with the below:

var userSysId = "SYS_ID"; // sys_id of a sys_user record that has the required role 
var myId = gs.getSession().impersonate(userSysId); 

Slava Savitsky · ‎07-04-2024

Consider adding a un-impersonation step afterwards.

Blog: https://sys.properties | Telegram: https://t.me/sys_properties | LinkedIn: https://www.linkedin.com/in/slava-savitsky/