Issue
Users without ITIL roles(ie sn_hr_core_case_reader /sn_hr_core_case_write) also able to view all requested items(sc_req_item) records.
Cause
The access for the sc_req_item for the users sn_hr_core_case_reader/sn_hr_core_case_write is given by the OOB ACLs:
- https://<instance_name>/nav_to.do?uri=sys_security_acl.do?sys_id=fe5370019f22120047a2d126c42e700a
- https://<instance_name>/nav_to.do?uri=sys_security_acl.do?sys_id=7e5370019f22120047a2d126c42e7009
Resolution
This is the expected behavior, there are cases you need to build catalog items in the HR application. And requested item and requests are child records of an HR Case, so the HR user should be able to use the service catalog, and view/update the child requests of an HR case.