Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Set application scope, application resource, and event access

Log in to subscribe to topics and get notified when content changes.

Set application scope, application resource, and event access

Create a record in the Restricted Caller Access Privileges [sys_restricted_caller_access] table to set cross-scope resource access requests. Approve or deny requests from a source scope or source scope application resources, to a target scope or to target scope application resources.

Before you begin

If you do not enable application administration, only application administrators of the target application can set access to an application. If application administration is not enabled, an admin user can set access to an application.

Role required: application admin or admin
Note: To learn about application-specific administrator roles and delegated development, see and .

About this task

You can set the following restricted caller access privilege settings combinations:
  • Scope-to-Scope
  • Scope-to-Target
  • Source-to-Scope
  • Source-to-Target

Procedure

  1. Navigate to System Applications > Application Restricted Caller Access.
  2. In the Restricted Caller Access Privileges table, fill in the fields.
    Table 1. Restricted Caller Access fields
    Field Description
    Operation Operation on the target resource.
    • Read
    • Write
    • Create
    • Delete
    • Execute API
    Source Record of the calling script.
    Source Scope Scope of the calling application.
    Source Table Table that contains the Source record.
    Source Type Type of record calling the application resource.
    • ACL
    • Business Rule
    • Document Title
    • GlideScopedEvaluator
    • Inbound Email Script
    • Orchestration RunScript Activity
    • Service Portal Widget
    • Scheduled Script
    • Scope
    • Script Include
    • UI Action
    • UI Macro
    • Workflow Activity

    To allow access from an entire application, select Scope.

    Status Status of the access request.
    • Requested
    • Denied
    • Allowed
    • Invalidated
    Note: If a calling resource changes, the restricted caller access record status changes to Invalidated. If you enable application administration, only application administrators of the target application can update the status of a request.
    Target Record of the requested resource.
    Target Scope Scope of the requested resource.
    Target Table Table that contains the Target record.
    Target Type Type of requested resource.
    • Event
      Note: An event is a special type of target for restricted caller access. By selecting an event in a target scope, you give a source application permission to queue an event that is registered as part of a target application. However, if you set caller access on the event registry to None, it prevents cross-scope access calls to an event. This setting combination is a one-to-one relationship. To learn more about events, and their function, see Events.
      Note: If you set caller access to None on the event registry, cross-scope access calls to an event are denied.
    • Scope
    • Table
    • Script Include

    To allow access to an entire application, select Scope.

    Note: Refer to the following sections for instructions on defining specific types restricted caller access privilege setting combinations.

Scope-to-scope settings

Allow or deny access of all application resources in a source scope to all application resources in a target scope. This setting combination is a many-to-many relationship.

Restricted caller access scope to scope setting

Enter the following field settings for Scope-to-Scope restricted caller access.

Field Entries
Source Scope Scope of the calling application that contains the source application resources.
Source Type Type of record calling the application resource. To allow access from an entire application, select Scope.
Status Status of the access request. In the Status field, select Allowed to allow access, or Denied to restrict access for this source-target resource relationship.
Target Scope Scope of the requested resource that contains the target application resources that the source application resource requests access to.
Target Type Type of requested resource. In the Target Type field, select Scope to include all application resources in the selected target scope.

Scope-to-target settings

Allow or deny access of all application resources in a source scope to a specific application resource, such as a business rule, table, script include, or event, in a target scope.

This setting combination is a many-to-one relationship. For example, you can specify that all application resources in source Scope A can access a script include in target Scope B. Restricted caller access scope to target setting

Enter the following field settings for Scope-to-Target restricted caller access.
Field Entries
Source Scope Scope of the calling application that contains the source application resources.
Source Type Type of record calling the application resource. Select Scope to include all application resources in the source scope.
Status Status of the access request. In the Status field, select Allowed to allow access, or Denied to restrict access for this source-target resource relationship.
Target Scope Scope of the requested resource that contains the target application resources that the source application resource requests access to.
Target Type Type of requested resource. Select the specific application resource (for example, business rule, script include, event) to which the source application resource requests access.
Operation Type of operation (for example, Read, Write) in the target application resource the source application resource requests access to.

Source-to-scope settings

Allow or deny access of a specific application resource in a source scope to all application resources in a target scope.

This setting combination is a one-to-many relationship. For example, you can specify that a particular business rule in source Scope A can access all application resources in target Scope B.

Restricted caller access source to scope setting

Enter the following field settings for Source-to-Scope restricted caller access.
Field Entries
Source Scope Scope of the calling application that contains the source application resource requesting access to the target scope application resource.
Source Type Type of record calling the application resource. Select the specific application resource (for example, business rule or script include) requesting access to the specified target scope application resource.
Status Status of the access request. In the Status field, select Allowed to allow access, or Denied to restrict access for this source-target resource relationship.
Target Scope Scope of the requested resource that contains the target application resources that the source application resource requests access to.
Target Type Type of requested resource. Select Target to include all application resources in the selected target scope.
Operation Type of operation (for example, Read, Write) in the target application resource the source application resource requests access to.

Source-to-target settings

Allow or deny access of a specific application resource in a source scope to a specific application resource in a target scope.

This setting combination is a one-to-one relationship. For example, you can specify that a specific business rule in source Scope A can access a specific application resource, such as a business rule, table, Script Include or event, in a target scope.

Restricted caller access source-to-target setting

Enter the following field settings for Source-to-Target restricted caller access.
Field Entries
Source Scope Scope of the calling application that contains the source application resources.
Source Type Type of record calling the application resource. Select the specific application resource (for example, business rule or script include) requesting access to the specified target scope application resource.
Status Status of the access request. In the Status field, select Allowed to allow access, or Denied to restrict access for this source-target resource relationship.
Target Scope Scope of the requested resource that contains the target application resources that the source application resource requests access to.
Target Type Type of requested resource. Select the specific application resource (for example, business rule, Script Include, event) the source application resource requests access to.
Feedback