Restricted Caller Access Privilage related info message

Raghav Kakkar · ‎11-19-2023

I am getting this info message related to restricted caller access when I start an MS Teams chat in SIR ticket but not in ITSM incident tickets.

What I have already verified:

There are Restricted caller access records with source "Collaboration Services" and target "Security Incident Response" and all are in Allowed state.
This is appearing post Vancouver upgrade.
It is reproducible in lower instances as well even though MS Teams runs only in Production.

Sandeep Rajput · ‎11-19-2023

@Raghav Kakkar As a best practice, we keep the RCA Policy to Restricted on all three instance (Dev, Test, Prod). Primary reason is to know let the Dev/Admin know which applications are trying to access the data of the application in consideration (Security Incident Response in our case) from out side. Dev/Admin capture the allowed records in update set and carry them to other instances (Test and Prod).

In case if a dev/admin is constantly making changes in the application, these RCA may get annoying, in such a case we keep them to tracking on Dev instance till the development gets completed and shift it to Restricted after the necessary changes.

View solution in original post

Sandeep Rajput · ‎11-19-2023

@Raghav Kakkar Since the RCA policy on sn_si_incident table is set to Tracking, hence just the message is shown on the Security Incident Response record, had it been set to Restricted you would have seen an RCA record with a Requested state in Application Restricted caller access module with Source populated as "Collaboration Services" and target "Security Incident Response.

Raghav Kakkar · ‎11-19-2023

Hi @Sandeep Rajput,

Thank you so much for your prompt answer.

Is there any best practice too regarding the RCA Policy being set to "Tracking" or "Restricted"? Especially considering that we are dealing with Security Incident response application.

Regards.

Sandeep Rajput · ‎11-19-2023

@Raghav Kakkar As a best practice, we keep the RCA Policy to Restricted on all three instance (Dev, Test, Prod). Primary reason is to know let the Dev/Admin know which applications are trying to access the data of the application in consideration (Security Incident Response in our case) from out side. Dev/Admin capture the allowed records in update set and carry them to other instances (Test and Prod).

In case if a dev/admin is constantly making changes in the application, these RCA may get annoying, in such a case we keep them to tracking on Dev instance till the development gets completed and shift it to Restricted after the necessary changes.

Niclas · ‎04-08-2024

This is not the correct solution, while this will hide Info Message, it will block you from using the functionality to start MS Teams Chat, as it will change the Info Message to an Error Message that access is not allowed due to RCA settings, e.g.:

Read operation on table 'sn_si_incident' from scope 'Collaboration Services' was denied because the source could not be found. Please contact the application admin.
Read operation on table 'sn_si_incident' from scope 'Collaboration Services' was denied. The application 'Collaboration Services' must declare a cross scope access privilege. Please contact the application admin to update their access requests.
com.glide.script.fencing.access.ScopeAccessNotGrantedException: read access to sn_si_incident not granted

While being in Security Incident Response Application Scope you need to create RCA entry to allow Collaboration Service scope to read Security Incident table (and Security Incident Task if you want to use MS Teams functionality there as well) as shown below. Unfortunately it's very broad access for whole scope, but we could not limit it further as we could not find the exact source that is trying to read the table...