HR profile and HR case security

Release version: Xanadu

Updated August 1, 2024

2 minutes to read

Summarize

Summarized using AI

Summary of HR profile and HR case security

HR profile and HR case information in ServiceNow is highly sensitive and confidential. Access to this data is strictly controlled to protect employee privacy. Even System Administrators ([admin]) cannot view most HR profile details or case content unless they have specific HR roles assigned. This security model ensures that only authorized HR personnel with designated roles can access and manage HR data.

Show full answer Show less

Access Control and Roles

HR Profile Access: Only users with roles such as snhrcore.profilereader, snhrcore.profilewriter, or snhrcore.secureinforeader can view confidential HR profile information.
HR Case and Task Access: Viewing attachments, work notes, comments, descriptions, calendar entries, and payloads is limited to users with roles like snhrcore.casereader, snhrcore.casewriter, or snhrcore.secureinforeader.
HR Administrators: Users with the snhrcore.admin role have full access to all HR profile and case data and can perform all related tasks.

System Administrator Access Limitations

System Administrators cannot create HR profiles.
They can view only limited HR profile information, including the profile number, employee prefix, and employment details synchronized with the user record (name, employee number, department, manager, location).
Work contact details such as work email and phone number are visible, but personal information is hidden.
System Administrators can see related lists like Employment Information, Contact Information, Beneficiaries, Emergency Contacts, Direct Reports, Colleagues, and Cases, but with restricted data.
System Administrators cannot see comments or work notes in HR cases or tasks; only HR Administrators can.

HR Case Creation and Viewing

HR cases can be created directly from an HR profile using the "Create New Case" link under Related Links. When HR Administrators open HR cases or tasks, they receive notifications about any information that is hidden from their view to maintain confidentiality.

Impersonation and Security Settings

To prevent unauthorized access to HR data via impersonation, ServiceNow includes a property (If true, ACLs check if the user is being impersonated) located in HR Administration > Properties.
When enabled (set to Yes), Access Control Lists (ACLs) enforce restrictions during impersonation, blocking HR information viewing even if an impersonating user has HR access.
This feature applies to the scoped HR Service Delivery application and not the non-scoped version.

Additional Security Controls

Center of Excellence (COE) security policies provide configurable restrictions on access to different COEs through ServiceNow ACLs. These policies work alongside role-based access to ensure HR data confidentiality.

Because HR profile information is sensitive and confidential, the System Administrator [admin] cannot view it. The same is true for some of the information in HR cases and HR tasks.

Note:

The preceding statement applies only when you complete the steps in Remove HR Administrator role from IT System Administrators.

HR profile information is confidential and viewed only by authorized HR personnel who are assigned a role that includes sn_hr_core.profile_reader or sn_hr_core.profile_writer, such as sn_hr_core.secure_info_reader.

For HR cases and HR tasks, only authorized HR personnel are allowed to view attachments, work notes and comments, description, calendar, and payload (configurable). Authorized HR personnel are assigned a role with sn_hr_core.case_reader and sn_hr_core.case_writer, such as sn_hr_core.secure_info_reader.

HR administrators [sn_hr_core.admin] will be able to perform all tasks and view all data.

HR profile information that system administrators can access

System Administrators cannot create an HR profile. They can see the list of HR profiles and open HR profile records, but only have access to the following information.

The HR profile number and prefix of an employee.
Employment information that is synchronized with the user record [sys_user]. This information includes name, employee number, department, manager, and location.
Work contact information, such as work email address and work phone number. Personal information is hidden.
Information that appears in the following related lists.
- Employment Information
- Contact Information
- Beneficiaries
- Who is Covered
- Emergency Contacts
- Direct Reports
- Colleagues
- Cases

HR case and task information accessible by HR Administrators

HR Administrators can view the employee user information, such as location and department, and the short description. Activities, such as state changes, are displayed in the activity stream, but comments and work notes are hidden. System Administrators cannot view this information.

When the HR Administrator opens an HR case or HR task, a message describes the information that is not displayed.

An HR case can be created from an HR profile. Click Create New Case under Related Links and Case Creation appears.

Impersonating a user

You can prevent a user from accessing HR information by impersonating a user that has HR access by using the If true, ACLs check if the user is being impersonated. property.

Navigate to HR Administration > Properties.
Scroll to If true, ACLs check if the user is being impersonated.
Check Yes (true) to enable ACLs to check when a user is impersonating another user and prevent the user from viewing HR information.
COE security policies are a way to easily restrict access to different COEs via configuration. The underlying COE security policy implementations are ServiceNow ACLs.
Even if the logged in user has HR access and impersonates another HR user with the same access, HR information is not visible.
Note:
This property was introduced for the HR Service Delivery scoped application and not applicable to the HR Services Delivery Non-scoped application.

See Add field security in HR.

See Restricted caller access for HR.

See Manage HR roles.