Application Cross-Scope Access vs. table-level application access settings

Max Nowak · ‎02-03-2023

Hi,

I need to delete attachments (sys_attachment) from a scoped application. When executing my script, I get the following error:

Security restricted: Delete operation against 'sys_attachment' from scope 'x_xxxxxx' has been refused due to the table's cross-scope access policy

So, alright, I created a cross-scope privilege record in the sys_scope_privilege table, that allows my source scope to run delete operations against the sys_attachment table. Easy enough, I thought.

Except those privilege records actually don't do anything, it seems. The only way I can get this to work is if I allow all application scopes to run delete operations against the sys_attachment table, by navigating to the table configuration form and checking "Can delete" in the Application Access section.

I'm a little frustrated and don't understand the use for cross-scope privilege records if the table-level application access policy ultimately needs to be set to "Allow everyone to delete" anyways. Is there no way I can achieve only my application scope being able to run the delete operation against sys_attachment?

manjusha_ · ‎02-03-2023

Hi Max,

Are you trying to delete attachment from any script/business rule?

If yes please try below -

1) create script include in Global scope and make it accessible from all scopes

2) in this script include have the code to delete attachment i.e. function will take the table name and table sys id and query and delete

3) call this script include function from business rule which is in scoped app

Also you have to keep record in cross scope privilege table as allowed with operation as delete
Thanks

Thanks,

Manjusha

View solution in original post

manjusha_ · ‎02-03-2023