Comment
rhysbrennan
Tera Expert

Hi Willem,
Thank you for the article it was a great help to us unpacking a problem we have with COE Security. I'd like to add that I think there is an inaccuracy (at least from what we found in our instance) because the flow looks more like this:

rhysbrennan_0-1671623698802.png

If you create a HR case, and you are a HR Professional you can read and edit the case even when COE Security fails. For us this is major concern because we expect some HR records be only be accessed by certain groups. We don't have a solution but this is what we found:

When the ACL's run it calls the sn_hr_core.hr_Case script include's canReadCase function. If they have a sn_hr_core.case_reader role; then COE Security is evaluated. If that fails then it will call this:

rhysbrennan_1-1671623813008.jpeg

That then checks if they are the subject person and the subject person can read the ticket (from the HR Service Config) OR if the user can edit the case from the canEditCase function.

The canEditCase case function skips COE security checks because it failed in the canReadCase function, but will always allow the following roles to read the case:

  • Opened By
  • Opened For
  • Watch List
  • Collaborators

rhysbrennan_2-1671623813010.jpeg