Sometimes working with scoped apps gives me a headache.

My broad problem is that I frequently have to employ guesswork to solve cross scope access issues, and I find the documentation for using cross scope access records very limited. So to start, does anyone have a great approach for determining what should go into such a record? Or are there good sources on the web that discuss this bit of functionality. (Don't even bother posting the ServiceNow documentation link for this. I've already invested the five seconds it takes to learn all it has to offer.)

The specific problem I am having right now is this: I created a scoped app that includes a table extended from CMDB. As a temporary measure (I know, I know) I am using an on insert business rule to generate an Incident record for every scoped app record created. When such a record is created we see the following error message:

'Access to api 'put(incident.sys_id)' from scope 'x_camu_sw_asset' has been refused due to the api's cross-scope access policy'

Functionally each record (x_camu_sw_asset and the BR-generated incident) is created as expected, and the CI field on incident is updated as per the BR the way I expect. To ensure that this all happened I already created a cross scope access rule to permit stuff in my scope to write to incident. That made sense.

But this error is killing me. I assume that I need to create some other cross scope access rule for some scriptable, but I am at a loss to determine what it is that I need. And more importantly I am frustrated because I cannot generalize a troubleshooting process for when I stumble across something like this.

Any ideas?

Brian