HR COE security read access behavniour - Known Error

HR COE security read access behavniour Description This is how the read access is provided by the COE security policy.

If a read policy matches the condition and coe and the user belongs to the required group, the user gets read access. If a read policy matches the condition and the coe but the user is not in the required group, read access is denied. If no read policy matches, read access is allowed — even if a matching write policy exists or the user is not in the group — because write policies restrict only write permissions, not read. If a write policy matches the conditions and the coe and the user is in the required group, the user also gets read access. Steps to Reproduce

1. Create a COE with type "write" and add applies when condition 2. Create HR case that matches to COE conditions 3. Impersonate user with sn_hr_core.case_writer role make sure the user in not in the COE groups

Expected Behavior: • Only grant READ access if user actually meets WRITE policy requirements Actual Behavior: • If user fails READ policy, immediately grant READ access when any WRITE policy exists • WRITE policy conditions are never evaluated

Workaround This is working as expected.