Using GlideRecordSecure in a scoped application, allowing create access to ecc_queue

Community Alums · ‎04-14-2025

Hi All,

I have a script include within a scoped (store) application, that is creating records on the ecc_queue table. We have recently changed from GlideRecord to GlideRecordSecure, the function is as follows:

create : function() {
		this.addParameter('skip_sensor', true);
		var egr = new GlideRecordSecure("ecc_queue");
		egr.agent = "mid.server." + this.midServer;
		egr.queue = "output";
		egr.state = "ready";
		egr.topic = "JavascriptProbe";
		egr.name = this.name;
		egr.source = this.source;
		egr.payload = this.payloadDoc.toString();
		return egr.insert();
	},

Due to a number of ACLs on the table, this is now failing. I have created table level create/write/read ACLs within the scoped application, that should allow non-admin users with the apps role to access the table, but It's still not working. Running the security debug, I see this in the log:

Looks to me like the "out of the box" ACLs in global scope are blocking my scoped versions?

Please can someone help me understand what I need to do in order to get this working, if indeed this is possible!

Thanks!

Tim.

Ankur Bawiskar · ‎04-14-2025

@Community Alums

Option 2 is more feasible and ServiceNow app certification team does have the right to create exceptions.

I have been doing the same for the past few app certification cycles whenever new version comes in.

I believe I have answered your question with the approaches.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

Ankur Bawiskar · ‎04-14-2025

@Community Alums

Ensure the checkboxes are checked

Did you use access analyzer and see for that non-admin which ACL is blocking the insert?

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Community Alums · ‎04-14-2025

@Ankur Bawiskar yes, the checkboxes are checked for application access, access analyzer reports this:

Clinking on the access control link, takes me to this:

Ankur Bawiskar · ‎04-14-2025

@Community Alums

I do manager store apps in my company.

Here are the ways to overcome this

1) have a script include in global scope, accessible from all scopes and then invoke it from your scoped app. Provide or supply this update set as separate to the customers who will download that app

OR

2) keep GlideRecord in script and provide justification during the time you publish the app, there are sometimes exceptions which ServiceNow allows

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Community Alums · ‎04-14-2025

@Ankur Bawiskar

Option 1 has crossed my mind, although technically it's just moving the issue out of the application.

Option 2 is preferred, but the app check now picks up occurrences of GlideRecord as a "fail".

If these are the only 2 options, I'll put these to ServiceNow and see what they say.

Thanks for your help!

Tim.

Ankur Bawiskar · ‎04-14-2025

@Community Alums

Option 2 is more feasible and ServiceNow app certification team does have the right to create exceptions.

I have been doing the same for the past few app certification cycles whenever new version comes in.

I believe I have answered your question with the approaches.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader