[Music] hey everyone been send all here with Clyde fast consulting wanted to go over one of the new features in the HR release for Orlando and that's the the new CEO II security policies that they've added in into the Orlando release so prior to Orlando anyone who had the case reader in case writer roles within HR were able to see any cases within any Co ease where we've ran into issues on implementations in the past is that there is usually some additional security that is needed to be put around some certain types of cases normally like your employee relations cases so I wanted to kind of demo out this new feature and show you how we can apply this to cases to put that additional security layer around ER cases within HR so first to set this up I'm going to create some new ER cases just just as an example here so if I look up employee relations here Co II I am going to create a case for a disciplinary issue and then we can now see this case exists and I'm going to go back to the list view here and create another for the same Co II but the other HR service so we now will have two employee relations cases that exist out here and again I'm just using a personal dev instance in in Orlando that I've spun up and I've enabled the HRSD core configuration plugin so we can see we have these two ER cases that exist and I am going to now pick a user here able and I'm going to add able to the HR tier one assignment group so now that I've been on that a lot of roles have been granted to able so if I are to impersonate Abel here and go look at employee relations cases you can see Abel is able to see all of these drill into them work them do anything that he needs to as a normal HR agent so I'm going to pop back now to the admin role and look at this new this new feature that's been added so we have the COA ACL configuration here and the way this works is you can simply pick the co e that you want this to apply to so I'm going to say employee relations cases for now I'm going to say this will apply to all HR services within the ER co e I am going to mark this as active and right now I'm just going to make this a read ACL so if I say this the record is now created and I have an ability down below here on this related list to add groups so I am going to say you know that we want to lock this down to the assignment group HR employee relations so if this should mean now is that we have this security policy in place that says only people with the HR employee relations assignment group should be able to read the HR service cases that exists within the ER co e so to test this out if I go look at employee relations cases as myself employee relations cases I can still see them as admin of course edit them but now if we were to impersonate able again and then go take a look at ER cases play relations cases you can see now Abel is not able to see any of these read them or even know that they exist so it looks like that's working perfect so let's go back over and play with this kind of see what other things we can do to to tweak this a little bit so I am going to go back now to that ACL configuration that I set up and I'm going to make a small change and say alright this is only going to apply to some of the services within this CoA let's say I am going to only apply this to the Disciplinary issue and what this will label need to do when I save this and impersonate Abel Abel will not be able to see this specific HR service but should be able to see the other one so let's go check this out real quick all right so now let's go look employee relations cases and you can see in fact Abel is able to see the disciplinary issue inquiry but not the other one that we have specifically locked down and can now work this case as they would any other normal case that didn't have that additional layer of security on it so as I go back again let's see what other changes we can make here I am going to say that I'm going to change us to a write a seal and see if Abel is then able to read but not make any changes on this case so switch that to a right I'm going to switch back now to Abel go look at employee relations cases and you can see now Abel is able to see both if Abel looks at the case that has the security on it the additional security everything is locked down here can't add work notes down below comments everything is locked out no changes can be made one one bug I have noticed though this ready to for work button is still here which I wouldn't think should be if you click that you can see the state here will change from draft to ready so not completely locked out from doing everything but his a bug I would notice their be assigned to me however doesn't look like it works you could see their a flashed for a second that assigned able to tur when it reloaded it didn't actually have it assigned to him so you can see that again right there so it looks like it's sort of working there must be a few little minor bugs in the background that are preventing it from being fully locked down but just wanted to point now not feature our bug sorry one other thing I want to do is create a case so I have noticed one additional bug here and I'm gonna set up there set up the co e security to show you what this looks like so right now we have only locked down the co e for a specific HR service within it so first let's actually impersonate Abel again and try to create an HR case HR let's go look at all open cases and was it new and I'm going to select Abraham Lincoln and I am going to pick an employee relations case you can see both show up here and that is what I would expect since the the the documentation here says the CEO a security policies don't affect the case creation so that leads me to believe you should be able to create cases still and we can see in fact that's the case here but what I've noticed is if I now go back and edit this CEO e ACL configuration and I say supplies to all services within and I'd save this and let's change this back to a read so now this is preventing Abel from reading any of the cases within the Co II and if I go back now and impersonate Abel and select the create a new case and Abraham Lincoln and you can see the Co II has completely been removed from the CLU list here I cannot select anything in the ER cases and that seems to be in conflict with again what is being written here in the documentation that it shouldn't affect the case creation that we should still be able to view or modify or we should still be able to create that case but it doesn't appear that we can so I just wanted to point out that feature our again bug but then perhaps that'll be fixed quickly here and in one of the later hot fixes the other thing that I noticed is even though we have restricted Abel from seeing all gr cases that that doesn't affect the the modules here on the left so for example I can still click and see er cases in the left nav but if I try to view them they don't of course don't show but a good you know step to take would be to edit this module here to then mirror the changes that you've made to the the COA ACL configuration so in our example we've limited that to the HR employee relations group so we would probably want to do the same on this module on the left so it's not showing for people who shouldn't be able to see that so I hope this is helpful I just wanted to kind of go over this feature just because it was something I'm was really excited about to see that they've added in Orlando since we have this is a pretty common task on a lot of projects that we implement where companies want additional security around certain CEO is so glad to see movement in the right direction here in ServiceNow baking this into the the core platform in Orlando so again thanks everyone see you later [Music]