Cross-Scope access policy on a global scope table

Go to solution
thinker
Giga Contributor

‎08-15-2018 11:23 AM

I am writing a Custom Scoped Application. The application has logic to create, update and delete records in one of the Global scoped tables. However when it tries to delete a record, it gets a cross-scope error.

The reason is that the target table's Application Access does not allow delete (Can Delete unchecked). Understandable.

I read all about the Application Access Settings and understand that I shall create a cross-scope privilege record however the deletion is still refused unless the table's Application Access settings allow it. But then, if the table's Application Access settings allow it, then I don't even need the cross-scope privilege record.

I created a sample for it:

  1. Created a new table in Global scope, MyTable, with a field, Name. Set the table's Application Access to AllApplicationScopes with CanRead, CanCreate, CanUpdate and AllowAccessToThisTableViaWebServices.
  2. Create a new Custom Application, Test. Set the RuntimeAccessTracking to Tracking.
  3. Create another Custom Application, Test2. Leave the RuntimeAccessTracking to None.
  4. From within Test's scope, I execute a script to create a new record in MyTable:
    var rec = new GlideRecord('u_mytable');
rec.u_name =  'A';
rec.insert();

// Adds cross scope privilege record for Execute operation on GlideRecord.insert
// Adds cross scope privilege record for Create operation on u_mytable
// It also adds the record in MyTable because there are these two cross scope privilege records with Allowed AND the table's Application Access allows CanCreate
  5.  From within Test2's scope, I execute a script to create a new record in MyTable:
    var rec = new GlideRecord('u_mytable');
rec.u_name =  'B';
rec.insert();

// No cross scope privilege records are created because RuntimeAccessTracking is set to None
// But the record is still added to MyTable because table's Application Access allows it
  6. Now from within Test's scope, I execute the following script to delete a record in Mytable: 
    var rec = new GlideRecord('u_mytable');
rec.addQuery('u_name', 'A');
rec.query();
if(rec.next())
	rec.deleteRecord();

// Adds cross scope privilege record for Read operation on MyTable.
// Adds cross scope privilege record for Execute operation on GlideRecord.deleteRecord
// However the delete is refused because the table's Application Access Delete is not allowed (CanDelete is unchecked)
  7. Then from within Test2's scope, I execute the following script to delete a record in MyTable:
    var rec = new GlideRecord('u_mytable');
rec.addQuery('u_name', 'B');
rec.query();
if(rec.next())
	rec.deleteRecord();

// No cross scope privilege records are created because RuntimeAccessTracking is set to None.
// However the delete is refused because the table's Application Access Delete is not allowed (CanDelete is unchecked)
  8. Looks like I have to enable CanDelete for table's Application Access settings. So I went ahead and did that.
  9. Then I executed the delete script again in Test's scope:
      
    var rec = new GlideRecord('u_mytable');
rec.addQuery('u_name', 'A');
rec.query();
if(rec.next())
	rec.deleteRecord();

// Adds cross scope privilege record for Delete operation on MyTable.
// Deletes the record in MyTable because the cross scope privilege record exists and table's Application Access for CanDelete is set to true.​
  10. Finally I went ahead and executed the delete script again in Test2's scope:
    var rec = new GlideRecord('u_mytable');
rec.addQuery('u_name', 'B');
rec.query();
if(rec.next())
	rec.deleteRecord();

// No cross scope privilege records are created because RuntimeAccessTracking is set to None
// The record is still deleted because the table's Application Access has CanDelete set to true​

Now if the table's Application Access is mandatory, why do I need the cross scope privilege records at all?

Also, the target ServiceNow instance's administrator may want to allow Test application to be able to delete records but not every custom application like Test2.

So how can an administrator allow certain applications on certain tables without opening them for modifications from every application?

Thanks,

Vipin

Labels:
  • 10,133 Views
1 ACCEPTED SOLUTION

Go to solution
Brad Tilton
ServiceNow Employee
ServiceNow Employee
In response to thinker

‎08-20-2018 02:32 PM

Hi Vipin,

I understand the use case here, but the policy of not allowing store apps to delete any records is not something we would grant an exception for. I think the best you could do is have your app identify those records via a flag or setting them inactive, and then your customer can decide what to do with them. That could involve manually deleting them or just leaving them inactive.

Even with the asset/ci deletions oob, our recommendation is to only delete accets/cis in order to clean up errors. Once an asset or ci record exists in production it could have any number of task records open against it, which makes it much more difficult to delete.

View solution in original post

17 REPLIES 17

Go to solution
SanjivMeher
Kilo Patron
Kilo Patron

‎08-15-2018 12:01 PM

Does MyTable has Accesible from as All Application Scope access?


Please mark this response as correct or helpful if it assisted you with your question.
0 Helpfuls

Go to solution
thinker
Giga Contributor
In response to SanjivMeher

‎08-15-2018 12:19 PM

Yes Sanjiv, I updated the step above to clearly say it. Thanks.

0 Helpfuls

Go to solution
Brad Tilton
ServiceNow Employee
ServiceNow Employee

‎08-15-2018 12:03 PM

Hi Vipin,

The way that this should be working is that you'd need both the application access settings on the table to allow the operation and a cross-scope application policy to allow CRUD access to a table.

If the runtime access tracking is set to Tracking on the scoped application, the cross-scope privilege record should be created automatically the first time you try the crud operation. If the runtime access tracking is set to Enforcing (which it should be when the app is installed through the repository), then it should deny the operation if there is not already a cross-scope access record created.

This functionality did get enhanced in London with restricted caller access settings.

0 Helpfuls

Go to solution
thinker
Giga Contributor
In response to Brad Tilton

‎08-15-2018 12:25 PM

Hi Brad,

Thanks for reply. I would have assumed so too but my test proves it otherwise.

My concern is that an administrator of a target instance will not allow Application Access to All Application Scopes with CanDelete because it will open his instance and table to every custom application.

I'm running a London instance. I will go though this new stuff you pointed but I wonder how it worked in earlier versions. I will have to come up with a solution that works in all valid releases.

Thanks,

Vipin

0 Helpfuls