HR Profile - Read data from sensitive fields

Andra Schuster
ServiceNow Employee
ServiceNow Employee

‎04-25-2016 09:35 AM

Hi everyone,

We are currently populating the HR profile with user information. We have some issues reading/writing to Sensitive employment fields such as: date of birth, ethnicity, gender etc. As admins we have granted: hr_Admin, hr_profile_reader,etc to ourselves. When we go to hr_profile and open any record, any of the sensitive fields(gender, ethnicity, etc) are not even displayed on the form. When we go to form layout we can see that they should appear on the form.   If we disable for example the gender acl we are able to see the field. We don't want to disable any ACLs.

Any thoughts/ideas/suggestions how we can see the fields without disabling the ACLs?

Thank you!

mrodway

0 Helpfuls
  • 1,850 Views
5 REPLIES 5

Uncle Rob
Kilo Patron

‎04-25-2016 09:45 AM

If disabling the ACL causes the information to appear, then your prior role authorizations still did not satisfy the ACL conditions.


Remember, ACL conditions are additive.   You *must* first meet the conditions and script before it even bothers checking your role.



Try my ACL troubleshooting guide and see if it helps:


ACL Troubleshooting - A visual beginners' guide


0 Helpfuls

Andra Schuster
ServiceNow Employee
ServiceNow Employee
In response to Uncle Rob

‎04-25-2016 10:04 AM

Thanks for your response. In the ACL the script: hr_Factory.getSecurityManager(current, gs).canRead(); is failing.   This is OOTB.     I am not seeing anything in there....


0 Helpfuls

Uncle Rob
Kilo Patron
In response to Andra Schuster

‎04-25-2016 10:06 AM

So something is inhibiting the read.


Is there a role specified on the dictionary entry for that field itself?


0 Helpfuls

juliegardiner
ServiceNow Employee
ServiceNow Employee
In response to Uncle Rob

‎04-25-2016 10:18 AM

A new restriction was put into place with Geneva which may be affecting what you can see:


In the system, system administrators with the admin role are able to perform all tasks and view all data. However, HR profile information is confidential and should be viewed only by authorized HR personnel who are assigned a role that includes hr_profile_reader or hr_profile_writer, such as hr_agent.


Therefore, access to specific HR profile data is restricted from view by users with the admin role. This restriction includes the Description field of HR cases and HR tasks, as the field often contains HR profile information when a request is submitted through the HR Portal.



Here is the link to the documentation with the full info on this change:


HR profile security



Thanks.


Julie Gardiner | Product Manager, HR


ServiceNow


0 Helpfuls