Cross-scope privilege record
-
- UpdatedJan 30, 2025
- 2 minutes to read
- Yokohama
- Building applications
Runtime access tracking uses cross-scope privilege records to determine which script operations and targets the system allows to run.
The system creates cross-scope privilege records when:
- Runtime access tracking is set to Tracking or Enforcing.
- A script attempts to access another application.
Each cross-scope privilege record in the Cross scope privileges [sys_scope_privilege] table contains the following information.
Administrators can manually create cross-scope privilege records for application developers in advance to communicate which cross-scope resources they expect developers to access. For example, administrators could create these cross-scope privilege records to permit application developers access to resources from Incident Management.
Source Scope | Target Scope | Target Name | Operation | Status |
---|---|---|---|---|
My App | Global | incident | Read | Allowed |
My App | Global | incident | Write | Allowed |
My App | Global | ScopedGlideRecord | Execute API | Allowed |
During testing, application developers should run all of their application scripting logic to
ensure the system creates any necessary cross-scope privilege records. After application
publication, the system only allows runtime requests to run that have a valid cross-scope
privilege record.
Note: Table privilege granting is limited to, at most, the permissions set on
the table object (sys_db_object) record. For example, granting a scope privilege to delete for
table incident would not be allowed if the table object for incident did not allow Can delete
scopes.