What restricts HR groups from non HR roled users?

ge3
Tera Expert

I only see a delete ACL OOB for HR group members where Group is 'HR' or Group.parent = HR. My user has user_admin role and sn_hr_core.manager roles where the latter was specified in the ACL delete OOB. Still it can't delete the record from group member table when the group is HR or Group.parent = HR. I tried to disable the ACL but same thing. I notice when this user opens the GROUP, the group is READ only. So i created a write ACL with the same condition and group as the delete, SAME THING. The group remains READ only. What else is restricting HR groups aside from ACLs? 

 

I built a flow designer to remove members from HR groups and getting security issues using this API user. I want to avoid adding the sn_hr_core.admin role to achieve this. If i switch to 'system user' on the flow, same thing. 

1 ACCEPTED SOLUTION

ge3
Tera Expert

I received a solution from ServiceNow by adding a script step in the flow designer before the modification of the record, to impersonate a super user who should have the hr admin role. This works perfectly!

View solution in original post

8 REPLIES 8

ge3
Tera Expert

I received a solution from ServiceNow by adding a script step in the flow designer before the modification of the record, to impersonate a super user who should have the hr admin role. This works perfectly!

Can you share what they have shared with you? Or did they simply share with you to use "session.onlineImpersonate("YOURSPECIALUSER")" or via "GlideImpersonate"?

Create an action script with the below:

var userSysId = "SYS_ID"; // sys_id of a sys_user record that has the required role

var myId = gs.getSession().impersonate(userSysId);


Consider adding a un-impersonation step afterwards.