I am getting a security restriction error when I run gliderecord query to syslog table from scoped-app in San Diego

kyciranne · ‎03-07-2022

I am getting an error when I run gliderecord query to syslog table from scoped-app in San Diego

Security restricted: When targeting a global resource, only ServiceNow authored scopes are allowed as sources

Couldn't decipher the stack trace resulting from the following JavaScriptException:
com.glide.script.fencing.access.ScopeAccessNotGrantedException: read access to syslog not granted: org.mozilla.javascript.JavaScriptException: com.glide.script.fencing.access.ScopeAccessNotGrantedException: read access to syslog not granted: org.mozilla.javascript.Context.makeJavaScriptException(Context.java:1952)

Maik Skoddow · ‎03-07-2022

Hi @kyciranne

thanks for the feedback. This is something new to me.

To access the syslog table your only workaround is the create a "proxy" script include in the global scope.

Watch the following video: https://www.youtube.com/watch?v=yx23wKB7uYM

Kind regards
Maik

View solution in original post

Phil Swann · ‎05-02-2025

Helpful indeed! Thanks , just in the process of creating a Global jumper and seems the Global app won't help , worth a try!

CMDB Whisperer · ‎05-02-2025

FWIW you may have different results defining it in Global, running it and testing it and then moving it into a Global app afterwards. I have seen subtle and not-so-subtle differences in how cross-scope access works depending on how whether the file was authored in the Global app vs authored outside the Global app and then added. I can't explain why there would be a difference, but just thought I'd put that out there. Hopefully someone else can explain why this would be the case...

The opinions expressed here are the opinions of the author, and are not endorsed by ServiceNow or any other employer, company, or entity.

ArjunBasnet · ‎02-03-2023

Future readers

This will not work as of Tokyo release. The reason is related to RCA (Restricted Caller Access) privilege setting in the table. The sysevent table and few other global OOB tables (syslog, syslog_transaction) have Caller Access = Caller Restriction. There must be reason for this, while looking at the doc https://docs.servicenow.com/bundle/tokyo-application-development/page/build/applications/concept/res..., it says that there should be RCA record (System Applications > Application Restricted Caller Access) to allow the operation. One would assume that, creating record RCA record in Global scope with correct target and source scope would allow access. Unfortunately only ServiceNow can create records that target tables like sysevent and syslog. There is a business rule, in read-only mode, which prevents such activities. While exception are understood there should be way to grant access.