How to make admin users bypass the table's cross-scope access policy from an application scope

sam861 · ‎11-07-2017

After reading Access control list rules, any suggestions to use System Administrator to do write a table on another scope when my application is selected in application piker and admin is logged in.

Take the table sys_properties for example.

https://dev12345.service-now.com/sys_db_object.do?sys_id=58b8c302e00332003399186128118f5e&name=sys_p...

Case: I use

`GlideSystem - setProperty(String key, String value, String description)`/`Scoped GlideSystem - setProperty(String key, String value, String description)`
`GlideSystem - getProperty(String key, Object alt)`/`Scoped GlideSystem - getProperty(String key, Object alt)`

I guess GlideSystem Property API could use cache (e.g. Redis) before database, and API is convenient to use. However, when I write the property `x_123456_myapp.url`, this API doesn't work , and I try GlideRecord.update, it gives "Write operation against 'sys_properties' from scope 'x_123456_myapp' has been refused due to the table's cross-scope access policy".

.

//Note: Running free-form JavaScript can cause system disruption or data loss. ServiceNow does not recommend running free-from scripts from a production instance.

//By default, administrators can access this module without elevating privileges. If you want to require elevated privileges to access this module, set the system property glide.script_processor.admin to security_admin.

// [0:00:00.069] Script completed in scope x_snc_amazon_echo: script

// Security restricted: Read operation on table 'sys_script' from scope 'Amazon Echo' was granted and added to 'Amazon Echo' cross scope privileges

// x_snc_amazon_echo: [enforcer]businessRule=undefined

// Security restricted: Create operation against 'sys_script' from scope 'x_snc_amazon_echo' has been refused due to the table's cross-scope access policy

REST API to insert or update...

BTW!!!!!!!!!!!!!!!

When i submit my post or reply, it always gives "Your content could not be saved due to an error. You may have been logged out. If this problem persists please contact your system administrator. Click here to refresh this page." at the bottom of this page

Dave Smith1 · ‎11-07-2017

sam fang wrote:

After reading Access control list rules, any suggestions to use System Administrator to do write a table on another scope when my application is selected in application piker and admin is logged in.

Yes - don't do it.

There's a reason why application scopes exist, and that reason is to prevent interference between scopes and provide protection to a scope's contained objects. If you need to descend into Admin-overriding, you're doing something wrong.

So.. what is it you're actually after, rather than what solution do you think you need help with?

View solution in original post

Ankur Bawiskar · ‎11-07-2017

Hi Sam,

I think cross scope policy is applied to system admin as well and there doesn't seem any way to skip that for admin.

May be more digging in this topic is needed but I am not sure very well on this.

Regards

Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

sam861 · ‎11-07-2017

Insert or update property :

var prefix = gs.getCurrentScopeName() + '.'; // e.g. x_123456_app

this._setProperty(prefix + 'url', 'xx');

Dave Smith1 · ‎11-07-2017

sam fang wrote:

After reading Access control list rules, any suggestions to use System Administrator to do write a table on another scope when my application is selected in application piker and admin is logged in.

Yes - don't do it.

There's a reason why application scopes exist, and that reason is to prevent interference between scopes and provide protection to a scope's contained objects. If you need to descend into Admin-overriding, you're doing something wrong.

So.. what is it you're actually after, rather than what solution do you think you need help with?