Cross-scope table access issues: "...has been refused due to the api's cross-scope access policy"

davidmcdonald · ‎03-15-2020

I've created a scoped application, lets call it "x_scopedapp_a", and a second scoped app which provides some additional features to x_scopedapp_a, lets called this other one "x_scopedapp_b". This includes a "Copy" button to copy a record in a fancy way, but would be crossing app scopes to do it.

When I try to use a script to read, write, and insert into a table in "x_scopedapp_a" from a script in "x_scopedapp_b", I'm getting all sorts of cross-scope access issues.

Source descriptor is empty while recording access for table x_scoped_app_a_table: no thrown error
Security restricted: Read operation on table 'x_scoped_app_a_table' from scope 'Scoped app B' was denied because the source could not be found. Please contact the application admin.
x_scoped_app_b (SomeScriptInclude): Creating copy of: 76f7dd4adbafc0906eed8f423a961951
Security restricted: Access to api 'setValue(x_scoped_app_a_table.name)' from scope 'x_scoped_app_b' has been refused due to the api's cross-scope access policy
Security restricted: Access to api 'setValue(x_scoped_app_a_table.process_vulnerability)' from scope 'x_scoped_app_b' has been refused due to the api's cross-scope access policy
Security restricted: Access to api 'setValue(x_scoped_app_a_table.process_id)' from scope 'x_scoped_app_b' has been refused due to the api's cross-scope access policy
Security restricted: Access to api 'setValue(x_scoped_app_a_table.name)' from scope 'x_scoped_app_b' has been refused due to the api's cross-scope access policy
Security restricted: Create operation against 'x_scoped_app_a_table' from scope 'x_scoped_app_b' has been refused due to the table's cross-scope access policy

The table itself has had all of the cross-scope access options enabled on it.

In the application settings for x_scoped_app_b, I can see some Cross Scope Privileges being created, but for this table it's just a read one.

Changing the operation to Write or anything else doesn't appear to have any affect.

I feel like I'm missing something. Any thoughts?

davidmcdonald · ‎03-16-2020

I'm not sure why, but the issue has been resolved.

After a colleague clicked on "Publish to update set" on Application A, all of the cross-scope issues I was having have been fixed.

I'd like to know more about the cause of the issue, but clicking that button has resolved it.

View solution in original post

TT21 · ‎08-31-2022

Hi,

I am setting up the Service Graph connector for SCCM and at The Configure Data Source and Schedule Data Import I was getting the error "scope 'sn_sccm_integrate' has been refused due to the api's cross-scope access policy" Checking the applications access on the Data Source and Schedule Data Import tables showed access had been update. After much searching refreshing the cache fixed it

Many Thanks

Tui

Denny6 · ‎01-30-2023

Thank you so much.

It fixed for me an issue at working on the developer > learn > Courses > Developing Virtual Agent Topics. I was not able by following the exercises to update tickets. I spend many hours on investigation what could get wrong and learned a lot about "Securing Applications" but nothing solved the issue except this small good hint: Run gs.invalidateCache(); in Background Script

Ashley · ‎02-17-2023

Glad I found this, only thing that worked for me after creating the cross-scope rules.

Only 30 minutes wasted

Thanks for the tip

Kind Regards

Ashley

DeuCh44-ext · ‎04-03-2025

I know this is an old and solved thread, but maybe it helps someone, who has the same problem as we had.
We simply forgot to add the variable set to the record producers script, where the definition takes place.

Example line from record producers script:

producer.variable_set_name.opened_for = current.opened_for;

The opened_for after the variable_set_name is a variable in the variable set.