Access to api 'getDecryptedValue(password)' from scope has been refused
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2024 02:53 AM
Hello all!
We have a password stored in basic_auth_credentials table that is effectively shared by several apps. In the past, we would normally work exclusively in global scope but have since turned to using scoped apps, reason being it's easier to manage a scoped app by opening up in ServiceNow studio and you're presented with the relevant files. Makes it far easier for other developers in the team to make changes - everything is scoped!
Now, there obvious problem with this is some APIs are restricted from app scope. The one I'm having difficulties with is getDecryptedValue.
Essentially, in my scoped app I have a flow script that runs
const credential = new GlideRecord('basic_auth_credentials');
credential.get('name', 'ADO - Pipeline');
const pat = credential.password.getDecryptedValue();
'ADO - Pipeline' is stored in basic_auth_credentials which I presume is globally scoped, and as mentioned it's used by many different apps which currently sit inside global scope. When script is run in app scope, I get this error:
Security restricted: Access to api 'getDecryptedValue(password)' from scope 'x_clpl_ab_csv_ad_g' has been refused due to the api's cross-scope access policy.
I understand what it means but no idea how to make it work.
As an alternative I've used this script which does work
const credential = new GlideRecord('basic_auth_credentials');
credential.get('name', 'ADO - Pipeline');
const pat = new global.ScopedEncrypter().decrypt(credential.password);
However, it's not recommended to do this as it'll allow app to get any credential whilst all I really need is access to 'ADO - Pipeline'.
Any options available?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2024 03:18 AM
Hi @abelal
You can store your password for ADO in a Password2 type system property and fetch it using gs.getProperty('name of the system property'). Refer https://www.servicenow.com/community/developer-forum/need-to-decrypt-password2-field-value-from-syst...
Thanks and Regards
Amit Verma
Please mark this response as correct and helpful if it assisted you with your question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2024 06:11 AM
Thanks Amit. If I understand correctly then, for credentials that are potentially used across multiple apps it should be stored in system property, instead of credential tables?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2024 09:12 PM
Yes. System Property is a better alternative. You can actually make a System Property as part of a Scoped App and make it readable from the application scope itself for better security.
Please mark this response as correct and helpful if it assisted you with your question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2024 09:45 PM
This have nothing to do with the credentials being in the global scope but that the method getDecryptedValue is a global method that requires approval to be used by other scopes.
If you go into System Applications --> Application Cross-Scope Access then you should be able to find a record asking for permission that your scoped app uses that method.
Once "Allowed" there shouldnt be any issues for that particular scoped app to use the method.
That said - as mentioned, properties of password type is encrypted and decrypted in the memory on the server so using that will not require to use getDecryptedValue