Hello folks,
Running into issues creating scoped Access Role (sys_security_acl_role) records and modifying Access Controls (sys_security_acl) via script. Even though the Table's Application Access is configured and the Cross-scope Privilege for GlideRecord.setValue are configured I still get the issue. Here's what's been done to enable the operation:
1) [Access Roles] Granted Can create for all application scopes
2) Created several cross-scope privileges for GlideRecord methods and table operations
3) Executed cache.do to appease the ServiceNow Gods
Running a background script (elevated) to create Access Roles for every record ACL in the scope still fails:
var acl = new GlideRecord("sys_security_acl");
acl.addEncodedQuery("sys_scope=f6e044183a9602105960d9723d9a7a8c^type=record");
acl.query();
while (acl.next()){
var foo = new GlideRecord("sys_security_acl_role");
foo.initialize();
foo.setValue("sys_user_role", "b884c85c479602105c79b979316d43c7");
foo.setValue("sys_security_acl", acl.sys_id);
foo.insert();
}
Goes KABOOM!
Security restricted: Access to api 'setValue(sys_security_acl_role.sys_user_role)' from scope 'x_38557_time_off_0' has been refused due to the api's cross-scope access policy
Security restricted: Access to api 'setValue(sys_security_acl_role.sys_security_acl)' from scope 'x_38557_time_off_0' has been refused due to the api's cross-scope access policy
Security restricted: Create operation against 'sys_security_acl_role' from scope 'x_38557_time_off_0' has been refused due to the table's cross-scope access policy
Security restricted: Access to api 'setValue(sys_security_acl_role.sys_user_role)' from scope 'x_38557_time_off_0' has been refused due to the api's cross-scope access policy
Security restricted: Access to api 'setValue(sys_security_acl_role.sys_security_acl)' from scope 'x_38557_time_off_0' has been refused due to the api's cross-scope access policy
Security restricted: Create operation against 'sys_security_acl_role' from scope 'x_38557_time_off_0' has been refused due to the table's cross-scope access policy
Security restricted: Access to api 'setValue(sys_security_acl_role.sys_user_role)' from scope 'x_38557_time_off_0' has been refused due to the api's cross-scope access policy
Security restricted: Access to api 'setValue(sys_security_acl_role.sys_security_acl)' from scope 'x_38557_time_off_0' has been refused due to the api's cross-scope access policy
Security restricted: Create operation against 'sys_security_acl_role' from scope 'x_38557_time_off_0' has been refused due to the table's cross-scope access policy
Security restricted: Access to api 'setValue(sys_security_acl_role.sys_user_role)' from scope 'x_38557_time_off_0' has been refused due to the api's cross-scope access policy
Security restricted: Access to api 'setValue(sys_security_acl_role.sys_security_acl)' from scope 'x_38557_time_off_0' has been refused due to the api's cross-scope access policy
Security restricted: Create operation against 'sys_security_acl_role' from scope 'x_38557_time_off_0' has been refused due to the table's cross-scope access policy
This is all running on a PDI, and one weird difference I get on a partner instance is the Create operation is allowed, however the blocked setValue()s result in an invalid GlideRecord for foo and the system aborts the inserts due to null values in required fields.
Security restricted: Access to api 'setValue(sys_security_acl_role.sys_user_role)' from scope 'x_neis_time_off_0' has been refused due to the api's cross-scope access policy
Security restricted: Access to api 'setValue(sys_security_acl_role.sys_security_acl)' from scope 'x_neis_time_off_0' has been refused due to the api's cross-scope access policy
Background message, type:error, message: Role field cannot be empty
Operation against file 'sys_security_acl_role' was aborted by Business Rule 'Prevent null role creation for ACL^c217d8981b5a861009844081b24bcb43'. Business Rule Stack:Prevent null role creation for ACL
What sacrifice must be made to appease the App Engine?
Thanks in advance
