Cross-scope privilege record

Runtime access tracking uses cross-scope privilege records to determine which script operations and targets the system allows to run.

The system creates cross-scope privilege records when:
  • Runtime access tracking is set to Tracking or Enforcing.
  • A script attempts to access another application.

Each cross-scope privilege record contains the following information.

Table 1. Cross-scope privilege fields
Field Description
Source Scope The application requesting runtime access to another application's resources.
Target Scope The application whose resources are being requested.
Target Name The name of the table, script include, or script object being requested.
Target Type The type of request: table, script include, or script object.
Operation The operation the script performs on the target. The target type determines the available operations. Tables support the read, write, create, and delete operations. Script includes and script objects only support the execute API operation.
Status The authorization for this record: requested, allowed, or denied

Administrators can manually create cross-scope privilege records for application developers in advance to communicate which cross-scope resources they expect developers to access. For example, administrators could create these cross-scope privilege records to permit application developers access to resources from Incident Management.

Table 2. Sample cross-scope privilege records
Source Scope Target Scope Target Name Operation Status
My App Global incident Read Allowed
My App Global incident Write Allowed
My App Global ScopedGlideRecord Execute API Allowed

During testing, application developers should run all of their application scripting logic to ensure the system creates any necessary cross-scope privilege records. After application publication, the system only allows runtime requests to run that have a valid cross-scope privilege record.