Create a record in the Restricted Caller Access Privileges [sys_restricted_caller_access] table to set cross-scope resource access requests. Approve or deny requests from a source scope or source scope application resources to a target scope or to target scope application resources.

Before you begin

If you enable application administration for the target application, only application administrators of the target application can set access to an application. If application administration is not enabled, an admin user can set access to an application.

Role required: application admin or admin
Note: To learn about application-specific administrator roles and delegated development, see Access control rules in application administration apps and Delegated development and deployment.

About this task

You can set the following restricted caller access privilege settings combinations:
  • Scope-to-Scope
  • Scope-to-Target
  • Source-to-Scope
  • Source-to-Target
Note: In the Rome release, we have enforced that an RCA privilege record must be present in the target application to grant access to a resource. This means that the target scope must match the application scope.

Procedure

  1. Navigate to All > System Applications > Application Restricted Caller Access.
  2. On the form, fill in the fields.
    Table 1. Restricted Caller Access fields
    FieldDescription
    Operation Operation performed on the target resource.
    • Read
    • Write
    • Create
    • Delete
    • Execute API
    Source Cross-scope record that is accessing a restricted application resource.
    Source Scope Scope of the calling application.
    Source Table Table that contains the Source record.
    Source Type Type of record that is calling the application resource:
    • ACL
    • Business Rule
    • Document Title
    • Flow
    • Flow Action
    • GlideScopedEvaluator
    • Inbound Email Script
    • Orchestration RunScript Activity
    • Record Producer Script
    • Service Portal Widget
    • Scheduled Script
    • Scope
    • Script Include
    • UI Action
    • UI Macro
    • UI Page
    • Workflow Activity

    For example, to allow access from an entire application, select Scope.
    Status Status of the access request:
    • Requested
    • Denied
    • Allowed
    • Invalidated
    Note: If a calling resource changes, the restricted caller access record status changes to Invalidated. If you enable application administration, only application administrators of the target application can update the status of a request.
    Target Record of the requested resource.
    Target Scope Scope of the requested resource.
    Target Table Table that contains the Target record.
    Target Type Type of requested resource.
    • Event
      Note: An event is a special type of target for restricted caller access. By selecting an event in a target scope, you give a source application permission to queue an event that is registered as part of a target application. However, if you set the caller access on the event registry to None, it prevents cross-scope access calls to an event. This setting combination is a one-to-one relationship. To learn more about events, and their function, see Events. If you set caller access to None on the event registry, the cross-scope access calls to an event are denied.
    • Scope
    • Table
    • Script Include

    For example, to allow access to an entire application, select Scope.