Access to api 'getDecryptedValue(password)' from scope has been refused

abelal
Tera Contributor

Hello all!

 

We have a password stored in basic_auth_credentials table that is effectively shared by several apps. In the past, we would normally work exclusively in global scope but have since turned to using scoped apps, reason being it's easier to manage a scoped app by opening up in ServiceNow studio and you're presented with the relevant files. Makes it far easier for other developers in the team to make changes - everything is scoped!

 

Now, there obvious problem with this is some APIs are restricted from app scope. The one I'm having difficulties with is getDecryptedValue.

Essentially, in my scoped app I have a flow script that runs

const credential = new GlideRecord('basic_auth_credentials');
credential.get('name', 'ADO - Pipeline');
const pat = credential.password.getDecryptedValue();

'ADO - Pipeline' is stored in basic_auth_credentials which I presume is globally scoped, and as mentioned it's used by many different apps which currently sit inside global scope. When script is run in app scope, I get this error:

Security restricted: Access to api 'getDecryptedValue(password)' from scope 'x_clpl_ab_csv_ad_g' has been refused due to the api's cross-scope access policy. 

I understand what it means but no idea how to make it work.

 

As an alternative I've used this script which does work

const credential = new GlideRecord('basic_auth_credentials');
credential.get('name', 'ADO - Pipeline');
const pat = new global.ScopedEncrypter().decrypt(credential.password);

 

However, it's not recommended to do this as it'll allow app to get any credential whilst all I really need is access to 'ADO - Pipeline'.

 

Any options available?

9 REPLIES 9

Amit Verma
Kilo Patron
Kilo Patron

Hi @abelal 

 

You can store your password for ADO in a Password2 type system property and fetch it using gs.getProperty('name of the system property'). Refer https://www.servicenow.com/community/developer-forum/need-to-decrypt-password2-field-value-from-syst...

 

Thanks and Regards

Amit Verma


Please mark this response as correct and helpful if it assisted you with your question.

Thanks Amit. If I understand correctly then, for credentials that are potentially used across multiple apps it should be stored in system property, instead of credential tables?

@abelal 

 

Yes. System Property is a better alternative. You can actually make a System Property as part of a Scoped App and make it readable from the application scope itself for better security.


Please mark this response as correct and helpful if it assisted you with your question.

Simon Christens
Kilo Sage

This have nothing to do with the credentials being in the global scope but that the method getDecryptedValue is a global method that requires approval to be used by other scopes.

 

If you go into System Applications --> Application Cross-Scope Access then you should be able to find a record asking for permission that your scoped app uses that method.
Once "Allowed" there shouldnt be any issues for that particular scoped app to use the method.

That said - as mentioned, properties of password type is encrypted and decrypted in the memory on the server so using that will not require to use getDecryptedValue