The way the record producer "Click Here to Raise a Case for HR" works exposes as a big risk of HR cases information being made available to users who have admin or catalog admin role. It becomes accessible in question_answer table and the column Value shows the case description for all the records that have Question= Description you will see all the details of HR case. Way the role (permissions) work Out of the Box in Servicenow, users with admin or catalog_admin role have read access to the question_answer table, which needs to be reviewed. What is ServiceNow's advice on how to close off this exposure to HR case data?
Release or Environment
Orlando Patch 3 Hot Fix 2
The OOB property glide.enforce_security_scope.sn_hr_core is missing on the instance.
Issue is reproducible on the instance where the outside scope ACLs are also triggered and able to access the Scoped records. When compared to OOB with affected instance , there is a property that is missing on the instance . Property name is glide.enforce_security_scope.sn_hr_core. After adding this OOB property on instance , catalog_admin are not able to see the question_answer table data. Attached the OOB property for xml.