Runtime access tracking uses cross-scope privilege records to determine which script operations and targets the system allows to run.

The system creates cross-scope privilege records when:
  • Runtime access tracking is set to Tracking or Enforcing.
  • A script attempts to access another application.

Each cross-scope privilege record in the Cross scope privileges [sys_scope_privilege] table contains the following information.

Administrators can manually create cross-scope privilege records for application developers in advance to communicate which cross-scope resources they expect developers to access. For example, administrators could create these cross-scope privilege records to permit application developers access to resources from Incident Management.

Table 2. Sample cross-scope privilege records
Source Scope Target Scope Target Name Operation Status
My App Global incident Read Allowed
My App Global incident Write Allowed
My App Global ScopedGlideRecord Execute API Allowed
During testing, application developers should run all of their application scripting logic to ensure the system creates any necessary cross-scope privilege records. After application publication, the system only allows runtime requests to run that have a valid cross-scope privilege record.
Note: Table privilege granting is limited to, at most, the permissions set on the table object (sys_db_object) record. For example, granting a scope privilege to delete for table incident would not be allowed if the table object for incident did not allow Can delete scopes.