Cross-scope table access issues: "...has been refused due to the api's cross-scope access policy"

davidmcdonald · ‎03-15-2020

I've created a scoped application, lets call it "x_scopedapp_a", and a second scoped app which provides some additional features to x_scopedapp_a, lets called this other one "x_scopedapp_b". This includes a "Copy" button to copy a record in a fancy way, but would be crossing app scopes to do it.

When I try to use a script to read, write, and insert into a table in "x_scopedapp_a" from a script in "x_scopedapp_b", I'm getting all sorts of cross-scope access issues.

Source descriptor is empty while recording access for table x_scoped_app_a_table: no thrown error
Security restricted: Read operation on table 'x_scoped_app_a_table' from scope 'Scoped app B' was denied because the source could not be found. Please contact the application admin.
x_scoped_app_b (SomeScriptInclude): Creating copy of: 76f7dd4adbafc0906eed8f423a961951
Security restricted: Access to api 'setValue(x_scoped_app_a_table.name)' from scope 'x_scoped_app_b' has been refused due to the api's cross-scope access policy
Security restricted: Access to api 'setValue(x_scoped_app_a_table.process_vulnerability)' from scope 'x_scoped_app_b' has been refused due to the api's cross-scope access policy
Security restricted: Access to api 'setValue(x_scoped_app_a_table.process_id)' from scope 'x_scoped_app_b' has been refused due to the api's cross-scope access policy
Security restricted: Access to api 'setValue(x_scoped_app_a_table.name)' from scope 'x_scoped_app_b' has been refused due to the api's cross-scope access policy
Security restricted: Create operation against 'x_scoped_app_a_table' from scope 'x_scoped_app_b' has been refused due to the table's cross-scope access policy

The table itself has had all of the cross-scope access options enabled on it.

In the application settings for x_scoped_app_b, I can see some Cross Scope Privileges being created, but for this table it's just a read one.

Changing the operation to Write or anything else doesn't appear to have any affect.

I feel like I'm missing something. Any thoughts?

davidmcdonald · ‎03-16-2020

I'm not sure why, but the issue has been resolved.

After a colleague clicked on "Publish to update set" on Application A, all of the cross-scope issues I was having have been fixed.

I'd like to know more about the cause of the issue, but clicking that button has resolved it.

View solution in original post

Riro1 · ‎05-22-2022

i see. Im having the same issue right now plus we are not allowed to edit the global scope.

Peter de Bock1 · ‎05-23-2022

hi Riro,

Some out of the box Global script includes are protected. This is to make sure future upgrades are not causing issues due to customizations.

If you make a new Globa script include, you can add the setWorkflow function in it and call/invoke it from another scope script include.

The example above is to invoke it from a scoped scriptinclude. Replace "your-global-script-include" with your script include. You need to change your scope to global to create a new global script include.

regards, Peter

Riro1 · ‎05-23-2022

Hello Peter,

Thanks for the reply. In other words, you need to change something in the global scope? If yes, is there a way to fix it without touching the global scope? We cant touched it.

Peter de Bock1 · ‎09-10-2021

I have pasted two examples:

Example A: An example to avoid business rule before queries in a script include in the same scope as the object, can be done as follow:

Get a Hr Profile record in a "Human Resources: Core" scope script include

//get the hr profile based on unique key "intuserid"
var hrProfile = new GlideRecord('sn_hr_core_profile');
hrProfile.setWorkflow(false); //Avoid BS Rule before query which limits results for users
var profile = hrProfile.get(intuserid) ? hrProfile : null;

Example B : When you want to query a record in a script include which is in a different scope than the object , you need to have an additional script include.

Example: script include below Global scope performing a query on HR Scope using the function getHrProfile

//get HR Profile by User_ID (sys_id) from a Script Include in a Global scope
var coreHRScript = new sn_hr_core.scriptsIncludeHrCore();
var grHrProfile = coreHRScript.getHrProfile(User_ID);

gs.info("HR Profile number: "+grHrProfile.getValue('number'));

Below an example script include in Human Resources: Core Scope having a function getHrProfile with a query with setworkflow(false) which avoids Before Business Rule queries.

var scriptsIncludeHrCore = Class.create();
scriptsIncludeHrCore.prototype = {

initialize: function() {},

getHrProfile: function(userId){
	var grHrProfile = new GlideRecord('sn_hr_core_profile');
	grHrProfile.addQuery('user', userId);
	grHrProfile.setWorkflow(false);
	grHrProfile.query();
	if (grHrProfile.next()) {
		return grHrProfile;
	}else{
		return;
	}
},

Please mark helpfull or answered when it does 🙂

regards, Peter

Carlos de la F1 · ‎08-25-2022

Hi,

If you still experience cross-scope issues even after creating the cross-scope rules and activating the "application access" permissions in the table settings, try to refresh the cache by executing the below command in the "background - scripts" module:

gs.invalidateCache();

It was the only thing that worked for me.

Further reference in the below link:

Unexpected cross-scope error despite creating cross-scope privilege records

Please, Feel free to mark my answer as helpful if applicable.

Thank you!
Best Regards

Carlos DLF