Getting the cross-scope access policy error while executing the getDecryptedValue() function from the scoped app

Abbas Abidi1
Tera Guru

‎04-11-2019 02:25 PM

Access to api 'getDecryptedValue(secret_key)' from scope 'x_alsoi_**' has been refused due to the api's cross-scope access policy

 

Getting this error while trying to execute the getDecryptedValue() function from a scoped app while decrypting the password from the Azure Service Principal record.

0 Helpfuls
  • 3,803 Views
6 REPLIES 6

Chris Hoenig
Kilo Contributor

‎09-08-2020 09:12 PM

I have come across this when trying to decrypt the secret_key (password2) field on an AWS Credential record from a custom scope. Although it appears to be called correctly I am assuming that it might fall under what is mentioned in this HI KB about certain fields that are protected so it will not allow access regardless of cross-scope privileges.

https://hi.service-now.com/kb_view.do?sysparm_article=KB0788878

I have figured out a workaround using the global GlideEncrypter API to get the clear text value of the password2 field.

https://developer.servicenow.com/dev.do#!/reference/api/orlando/server_legacy/GlideEncrypterAPI

The method I used starts with creating a script include in the global scope to decrypt the field, ensuring that is is accessible from all scopes. Using the default template I added a function that takes the table name + record sysID + password field name and returns the clear text value of the password2 field.

find_real_file.png

var CryptoUtils = Class.create();
CryptoUtils.prototype = {
	initialize: function() {
	},

	getPassword: function(tableName, recordSysID, passwordFieldName){
		var gr = new GlideRecord(tableName);
		if (gr.get(recordSysID)){
			var encryptedPassword = gr.getValue(passwordFieldName);
			var encrypter = new GlideEncrypter();
			var password = encrypter.decrypt(encryptedPassword);
		}
		return password;
	},

	type: 'CryptoUtils'
};

I was then able to call this global script include from my scoped script include to get the clear text password available in my scoped app. A scoped script include was what works for my use case. The global script include could be called from other server side scoped scripting such as a business rule to meet your use case.

find_real_file.png

var ScopedUtils = Class.create();
ScopedUtils.prototype = {
	initialize: function() {
	},

	getAWSCredentials: function() {
		var tableName = ""; //insert table name here or alternatively pass it into this function
		var recordSysID = ""; //insert record sysID here or alternatively pass it into this function
		var passwordFieldName = ""; //insert the password field name here or alternatively pass it into this function

		var globalCryptoUtils = new global.CryptoUtils();
		var password = globalCryptoUtils.getPassword(tableName,recordSysID,passwordFieldName);
		gs.info("password: " + password);
		return password;
	},

	type: 'ScopedUtils'
};

On the first run a cross scope privilege was created from the custom scope to the global script include and the password is successfully decrypted.

Preview file
96 KB
Preview file
77 KB

Akki5
Tera Contributor
In response to Chris Hoenig

3 weeks ago

Hi @Chris Hoenig ,

 

GlideEncrypter() is deprecated in recent ServiceNow  version can we have any other solution to allow access in scope applications

0 Helpfuls