Cross-Scope access policy on a global scope table

thinker · ‎08-15-2018

I am writing a Custom Scoped Application. The application has logic to create, update and delete records in one of the Global scoped tables. However when it tries to delete a record, it gets a cross-scope error.

The reason is that the target table's Application Access does not allow delete (Can Delete unchecked). Understandable.

I read all about the Application Access Settings and understand that I shall create a cross-scope privilege record however the deletion is still refused unless the table's Application Access settings allow it. But then, if the table's Application Access settings allow it, then I don't even need the cross-scope privilege record.

I created a sample for it:

Created a new table in Global scope, MyTable, with a field, Name. Set the table's Application Access to AllApplicationScopes with CanRead, CanCreate, CanUpdate and AllowAccessToThisTableViaWebServices.
Create a new Custom Application, Test. Set the RuntimeAccessTracking to Tracking.
Create another Custom Application, Test2. Leave the RuntimeAccessTracking to None.

From within Test's scope, I execute a script to create a new record in MyTable:

var rec = new GlideRecord('u_mytable');
rec.u_name =  'A';
rec.insert();

// Adds cross scope privilege record for Execute operation on GlideRecord.insert
// Adds cross scope privilege record for Create operation on u_mytable
// It also adds the record in MyTable because there are these two cross scope privilege records with Allowed AND the table's Application Access allows CanCreate

From within Test2's scope, I execute a script to create a new record in MyTable:

var rec = new GlideRecord('u_mytable');
rec.u_name =  'B';
rec.insert();

// No cross scope privilege records are created because RuntimeAccessTracking is set to None
// But the record is still added to MyTable because table's Application Access allows it

Now from within Test's scope, I execute the following script to delete a record in Mytable:

var rec = new GlideRecord('u_mytable');
rec.addQuery('u_name', 'A');
rec.query();
if(rec.next())
	rec.deleteRecord();

// Adds cross scope privilege record for Read operation on MyTable.
// Adds cross scope privilege record for Execute operation on GlideRecord.deleteRecord
// However the delete is refused because the table's Application Access Delete is not allowed (CanDelete is unchecked)

Then from within Test2's scope, I execute the following script to delete a record in MyTable:

var rec = new GlideRecord('u_mytable');
rec.addQuery('u_name', 'B');
rec.query();
if(rec.next())
	rec.deleteRecord();

// No cross scope privilege records are created because RuntimeAccessTracking is set to None.
// However the delete is refused because the table's Application Access Delete is not allowed (CanDelete is unchecked)

Looks like I have to enable CanDelete for table's Application Access settings. So I went ahead and did that.

Then I executed the delete script again in Test's scope:

var rec = new GlideRecord('u_mytable');
rec.addQuery('u_name', 'A');
rec.query();
if(rec.next())
	rec.deleteRecord();

// Adds cross scope privilege record for Delete operation on MyTable.
// Deletes the record in MyTable because the cross scope privilege record exists and table's Application Access for CanDelete is set to true.

Finally I went ahead and executed the delete script again in Test2's scope:

var rec = new GlideRecord('u_mytable');
rec.addQuery('u_name', 'B');
rec.query();
if(rec.next())
	rec.deleteRecord();

// No cross scope privilege records are created because RuntimeAccessTracking is set to None
// The record is still deleted because the table's Application Access has CanDelete set to true

Now if the table's Application Access is mandatory, why do I need the cross scope privilege records at all?

Also, the target ServiceNow instance's administrator may want to allow Test application to be able to delete records but not every custom application like Test2.

So how can an administrator allow certain applications on certain tables without opening them for modifications from every application?

Thanks,

Vipin

Brad Tilton · ‎08-20-2018

Hi Vipin,

I understand the use case here, but the policy of not allowing store apps to delete any records is not something we would grant an exception for. I think the best you could do is have your app identify those records via a flag or setting them inactive, and then your customer can decide what to do with them. That could involve manually deleting them or just leaving them inactive.

Even with the asset/ci deletions oob, our recommendation is to only delete accets/cis in order to clean up errors. Once an asset or ci record exists in production it could have any number of task records open against it, which makes it much more difficult to delete.

View solution in original post

Brad Tilton · ‎08-15-2018

Can you retry your last test, but instead of having the Runtime access tracking set to None, have it set to Enforcing? That should cause it to deny access.

Is this for a store app by chance? We don't actually allow any record deletions from a store app at all so it would be a moot point if so.

thinker · ‎08-15-2018

I think it does deny the access. It creates the cross-scope privilege records but set them to Requested and refuses the operation. But then if I, as administrator, approve those records as set them to Allow, and try again; it will work. But I will give it a shot and get back.

Thanks again.

thinker · ‎08-15-2018

Yes, it did Deny the access but added the cross scope privilege record with Requested state. After I set it to Allowed, it worked. But only if the Application Access is set to AllApplicationScopes with CanDelete.

And if that is a must, then there is no point of seeking a cross scope privilege record because applications without it can also delete records.

Brad Tilton · ‎08-15-2018

When you say "applications without it can also delete records" you mean applications where runtime access tracking is set to none, right?

That field should really only ever be set to tracking in dev environments, then Enforcing in test/prod environments, and it shouldn't be set to None. When it's set to enforcing then it should not allow any access without the cross scope application record.

What is the scenario here? Is this all in house development and deployment, or something that is going to go through the store?

thinker · ‎08-15-2018

Yes, set to None.

I wanted to fully understand the point of None and Cross Scope so I didn't say anything about the store; sorry about that 🙂

Yes, this is a store app; now as you said before, the store apps can never delete the records in Global or other scopes. So what is the way out?

My application synchronizes data in ServiceNow tables via Import Sets and if a record is marked deleted in incoming data set, it marks the record deleted (sets a field).

Now my users/customers want to automate the deletion part too and want this application deletes the records if they are marked deleted at the end of import.

I was planning on a script that can be executed at the end but got into this cross scope issue. So what is the best way to proceed. I fully understand and am absolutely fine administrators explicit permissions for this.

I guess another way is that administrators write a BR or script themselves that looks for all records marked for deletion and runs it in Global scope but I really want to automate and ship it as part of application so customers have a standard behavior, and is effective for us to debug, when needed.

Thanks,

Vipin