How to exclude Correspondence agent from ABAC restrictions

General
, , , , , ,
1

Hi all,

We have the following scenario:

  • Case type is setup to allow e-mail approval.

  • ABAC is implemented in our app to restrict Read access to users that are not part of a HubName. The Hub name is defined in a special .HubName property in the case type.

  • ABAC is also using the OOTB “isBatchRequestor” when rule. (screenshot of the setup below)

ABAC setup.png
ABAC setup.png1071×424 16.4 KB

When you try to approve a task via e-mail, it gets an exception “You are not authorized to open instance XXXXX.”

Disabling the ABAC allows e-mail approval to function as expected.

Do you know how can I allow the correspondence agent to access & update the case thru the ABAC?

2

@PetarHR

For browser requester type alone have your logic getting defined in ABAC for checking Hub condition. For other requester types you can allow the system to access the cases without any validation.

Email listener will come under App Requester type. I am not sure any OOTB when rule avail to check App Requester type similar to batchrequester. If when rule avail to validate App Requester then by using that you can remove the security restriction for that requester type also.

3

Thanks @Gunasekaran_Baskaran !

I’ll look into some way to catch the requestor type & evaluate it in my logic. Your requestor type guidance actually helps a lot! Thanks! :slight_smile:

4

I’ve managed to solve the issue by creating a custom function similar to the isBatchRequestor. Followed the same components & the exact same code with just a small change in the end:

Function logic.png
Function logic.png781×264 11.6 KB

Hope this helps anyone facing the same in the future. :slight_smile: