Cross-scope privilege record

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • Runtime access tracking uses cross-scope privilege records to determine which script operations and targets the system allows to run.

    The system creates cross-scope privilege records when:
    • Runtime access tracking is set to Tracking or Enforcing.
    • A script attempts to access another application.

    Each cross-scope privilege record in the Cross scope privileges [sys_scope_privilege] table contains the following information.

    Tableau 1. Cross-scope privilege fields
    Field Description
    Source Scope The application requesting runtime access to another application's resources.
    Target Scope The application whose resources are being requested.
    Target Name The name of the table, script include, or script object being requested.
    Target Type The type of request: table, script include, or script object.
    Operation The operation the script performs on the target. The target type determines the available operations. Tables support the read, write, create, and delete operations. Script includes and script objects only support the execute API operation.
    Status The authorization for this record: requested, allowed, or denied

    Administrators can manually create cross-scope privilege records for application developers in advance to communicate which cross-scope resources they expect developers to access. For example, administrators could create these cross-scope privilege records to permit application developers access to resources from Incident Management.

    Tableau 2. Sample cross-scope privilege records
    Source Scope Target Scope Target Name Operation Status
    My App Global incident Read Allowed
    My App Global incident Write Allowed
    My App Global ScopedGlideRecord Execute API Allowed
    During testing, application developers should run all of their application scripting logic to ensure the system creates any necessary cross-scope privilege records. After application publication, the system only allows runtime requests to run that have a valid cross-scope privilege record.
    Remarque :
    Table privilege granting is limited to, at most, the permissions set on the table object (sys_db_object) record. For example, granting a scope privilege to delete for table incident would not be allowed if the table object for incident did not allow Can delete scopes.