Security policies do not get applied when the condition contains an inactive user - Known Error

Security policies do not get applied when the condition contains an inactive user Description COE Security Policies (or Employee Documents Security Policies) do not get applied when the condition contains an inactive user.

Steps to Reproduce

Create a COE security policy 2. For the condition, add a condition dotwalking from Opened for to Country code and select a country (Spain for instance) 3. Add a group for the policy (i.e. HR Tier 1) and submit 4. Create an HR case corresponding to the COE for a user that matches the country code you selected (make sure the user is active) 5. Impersonate a user who has case reading privileges and go to the newly created case 6. Ensure that the case is not readable 7. Now make the Opened for user inactive and repeat step 5 8. Observe that the case is now readable

Workaround This issue will be addressed in future roadmap.

In the meantime, using encoded query can be a workaround as it doesn't trigger the "user query" query Business Rule.

For COE Security Policies

Update the getCoeSecurityPolicy function in Script Include hr_SecurityUtils

Replace this line:

var filterCondition = !grPolicy.getValue('applies_when') || GlideFilter.checkRecord(caseGr, grPolicy.getValue('applies_when'), true); with:

var filterCondition = !grPolicy.getValue('applies_when'); if (!filterCondition) { var gr = new GlideRecord(tableName); gr.addEncodedQuery(grPolicy.getValue('applies_when')); gr.addQuery('sys_id', caseGr.getUniqueValue()); gr.query(); filterCondition = gr.next(); } For Employee Documents Security Policies

Update the _docSatisfiesPolicy function in Script Include ef_SecurityUtils

Replace:

_docSatisfiesPolicy: function(docGr, policy) { var cond = policy['applies_when']; if (gs.nil(cond)) return true;

return ScopedGlideFilter.checkRecord(docGr, cond); }, with:

_docSatisfiesPolicy: function(docGr, policy) { var cond = policy['applies_when']; if (gs.nil(cond)) return true;

if (cond) { var gr = new GlideRecord('sn_hr_ef_employee_document'); gr.addEncodedQuery(cond); gr.addQuery('sys_id', docGr.getUniqueValue()); gr.query(); return gr.next(); } },

If any Restricted Called Access gets invalidated, change their status to Allowed. Related Problem: PRB1676635