How to package custom ACLs and role into one scoped app for OOB install?

Tomav · 3 weeks ago

Hi,

I want to deliver an installable application that provides a custom role for an integration user. The goal is that when a tenant installs the app, the user with this role will automatically have read-only access to the relevant records and will not be able to create, update, or delete them.

The challenge I’ve run into: some ACLs must normally be created in Global (for example, field=* ACLs), but I’d like to avoid asking tenants to manually add anything in Global after installing.

My question:

What is the recommended way to package this so that everything (the role + all necessary ACLs) is contained in a single app and works OOB on install?

Is there an OOB mechanism (such as cross-scope privileges, which are useful only for scripts but not for roles) that lets a scoped app handle this more cleanly?

Looking for the best practice so the installation is seamless for customers.

Mark Manders · 3 weeks ago

You can use 'read' cross scope privileges for this, allowing read access to OOB (global) tables. You can't add global objects to your app. You could try creating a global_table.* ACL in your scoped app, but if you ever want to certify the app to run from the store, it won't be certified. But the privilege should be sufficient for reading.

We had an app that needed ACLs to read the CMDB and, in the end, the only thing we were allowed to do, was to add the list of ACLs needed to the guided setup, because the clients needed to do that themselves.
From ServiceNow's point of view: if you have a scoped app that needs ACLs on global tables, you would have to do that after installation.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark