OAuth Global vs Application Scope: [sys_db_object] table, Expecting different list of tables

jeff00seattle
Kilo Guru

I am confused about what between Global scope and Application scope, and what is the expected restrictions when used.

 

Specifically, I wish to get a list of tables using [sys_db_object] table, and I expect a different response per generated access_token with a different scope.

https://${INSTANCE_NAME}.service-now.com/api/now/table/sys_db_object

 

I have created two ServiceNow Applications, each with a single custom table:

  1. ServiceNowTestApp01, scope x_1092494_servic_0, with custom table x_1092494_servic_0_students_custom
  2. ServiceNowTestApp02, scope x_1092494_servic_1, with custom tablex_1092494_servic_1_superstore_orders

I have created three ServiceNow OAuth Apps:

  1. servicenow_localhost, scope: Global
  2. servicenow_localhost_app_01_scope, scope: ServiceNowTestApp01 "This Application Scope Only"
  3. servicenow_localhost_app_02_scope, scope: ServiceNowTestApp02 "This Application Scope Only"

Switching between each of the three ServiceNow OAuth Apps when generating an access_token, I expected a different list of tables to be as the response from [sys_db_object] table.

 

However, each called to [sys_db_object] table with a different access_token generated from OAuth App's with different scope restriction, they all had the same response:

  • All base tables
  • custom table x_1092494_servic_0_students_custom
  • custom table x_1092494_servic_1_superstore_orders

I do not understand why this is so.

 

Please explain. Thank you

 

Localhost OAuth App with Global scope

jeff00seattle_3-1711057215213.png

 

Localhost OAuth App with Application scope ServiceNowTestApp01, x_1092494_servic_0

jeff00seattle_4-1711057280392.png

 

Localhost OAuth App withApplication scope ServiceNowTestApp02, x_1092494_servic_1

jeff00seattle_5-1711057331746.png

 

 

 

 

 

1 REPLY 1

Tony Chatfield1
Kilo Patron

Hi, I would expect results\visibility to be dependent on the rights of the user account that was used for the query,
and within this context the scope that holds the oauth_entity record is just an identifier for the container\app that the record belongs to.