HR profile and HR case security

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of HR profile and HR case security

    This content explains how ServiceNow secures sensitive HR profile and HR case information to ensure only authorized HR personnel can view and manage it. It highlights the restrictions on System Administrators and the roles required for accessing different types of HR data in the Yokohama release.

    Show full answer Show less

    HR Profile Security

    • HR profile information is confidential and not accessible by System Administrators unless specific role removals are undone.
    • Authorized HR personnel with roles including snhrcore.profilereader or snhrcore.profilewriter (e.g., snhrcore.secureinforeader) can view HR profiles.
    • System Administrators can only see limited HR profile data: profile number and prefix, synchronized employment info (name, employee number, department, manager, location), and work contact details (work email and phone).
    • Personal information remains hidden from System Administrators.
    • System Administrators can access related lists such as Employment Information, Contact Information, Beneficiaries, Emergency Contacts, Direct Reports, Colleagues, and Cases, but with limited detail.

    HR Case and Task Security

    • Authorized HR personnel with roles like snhrcore.casereader and snhrcore.casewriter (e.g., snhrcore.secureinforeader) can view sensitive details in HR cases and tasks including attachments, work notes, comments, descriptions, calendar, and payload (configurable).
    • HR Administrators (snhrcore.admin) have full access to all HR case and profile data and can perform all tasks.
    • System Administrators can view only limited employee user info and short descriptions in HR cases; comments and work notes are hidden from them.
    • When opening an HR case or task, HR Administrators see messages about any restricted information.
    • HR cases can be created directly from HR profiles via the Create New Case option.

    Impersonation and Security Properties

    • To prevent unauthorized access through user impersonation, ServiceNow provides the property If true, ACLs check if the user is being impersonated in HR Administration > Properties.
    • Enabling this property (setting it to Yes/true) ensures ACLs detect impersonation and restrict HR information visibility accordingly.
    • This feature applies to the HR Service Delivery scoped application and is not applicable to the non-scoped version.
    • Center of Excellence (COE) security policies help restrict access to different COEs via ACLs configuration.

    Practical Implications for ServiceNow Customers

    • Ensure HR roles are correctly assigned to personnel who require access to sensitive HR profiles and cases.
    • Understand that System Administrators have limited visibility to protect confidentiality unless explicitly granted HR roles.
    • Use the impersonation ACL check property to enhance security and prevent unauthorized data access during user impersonation.
    • Leverage HR case creation from profiles for streamlined HR service delivery.

    Because HR profile information is sensitive and confidential, the System Administrator [admin] cannot view it. The same is true for some of the information in HR cases and HR tasks.

    Note:
    The preceding statement applies only when you complete the steps in Remove HR Administrator role from IT System Administrators.

    HR profile information is confidential and viewed only by authorized HR personnel who are assigned a role that includes sn_hr_core.profile_reader or sn_hr_core.profile_writer, such as sn_hr_core.secure_info_reader.

    For HR cases and HR tasks, only authorized HR personnel are allowed to view attachments, work notes and comments, description, calendar, and payload (configurable). Authorized HR personnel are assigned a role with sn_hr_core.case_reader and sn_hr_core.case_writer, such as sn_hr_core.secure_info_reader.

    HR administrators [sn_hr_core.admin] will be able to perform all tasks and view all data.

    HR profile information that system administrators can access

    System Administrators cannot create an HR profile. They can see the list of HR profiles and open HR profile records, but only have access to the following information.
    • The HR profile number and prefix of an employee.
    • Employment information that is synchronized with the user record [sys_user]. This information includes name, employee number, department, manager, and location.
    • Work contact information, such as work email address and work phone number. Personal information is hidden.
    • Information that appears in the following related lists.
      • Employment Information
      • Contact Information
      • Beneficiaries
      • Who is Covered
      • Emergency Contacts
      • Direct Reports
      • Colleagues
      • Cases

    HR case and task information accessible by HR Administrators

    HR Administrators can view the employee user information, such as location and department, and the short description. Activities, such as state changes, are displayed in the activity stream, but comments and work notes are hidden. System Administrators cannot view this information.

    When the HR Administrator opens an HR case or HR task, a message describes the information that is not displayed.

    An HR case can be created from an HR profile. Click Create New Case under Related Links and Case Creation appears.

    Impersonating a user

    You can prevent a user from accessing HR information by impersonating a user that has HR access by using the If true, ACLs check if the user is being impersonated. property.
    • Navigate to HR Administration > Properties.
    • Scroll to If true, ACLs check if the user is being impersonated.
    • Check Yes (true) to enable ACLs to check when a user is impersonating another user and prevent the user from viewing HR information.

      COE security policies are a way to easily restrict access to different COEs via configuration. The underlying COE security policy implementations are ServiceNow ACLs.

    • Even if the logged in user has HR access and impersonates another HR user with the same access, HR information is not visible.
      Note:
      This property was introduced for the HR Service Delivery scoped application and not applicable to the HR Services Delivery Non-scoped application.

    See Add field security in HR.

    See Restricted caller access for HR.

    See Manage HR roles.