Restricted caller access privilege settings

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Restricted caller access privilege settings

    Restricted caller access privilege settings in ServiceNow enable you to define and control cross-scope access between applications, application resources (such as roles, business rules, UI actions, or script includes), and events within the ServiceNow AI Platform. These settings help track and manage requests where one application or script from one scope attempts to access resources in another scope, ensuring secure and appropriate access control across application boundaries.

    Show full answer Show less

    Key Features

    • Tracking Cross-Scope Access Requests: The system creates sysrestrictedcalleraccess records to log cross-scope access attempts whenever caller access is set to Caller Restriction or Caller Tracking. This allows you to monitor which applications request access to resources in other scopes.
    • Approval and Denial of Access: You can use these records to approve or deny access requests, granting precise control over which applications or scripts can interact with resources outside their own scope.
    • Flexible Access Privilege Combinations: Multiple combinations of access can be configured, including:
      • Scope-to-scope
      • Scope-to-target
      • Source-to-scope
      • Source-to-target
    • These combinations allow you to specify access permissions at varying levels—ranging from entire scopes to specific resources within a scope—to enforce strict boundary controls.

    Activation and Configuration

    • Activating Restricted Caller Access: You can activate this feature by enabling the Scoped Application Restricted Caller Access plugin (com.glide.scope.access.restrictedcaller), which requires admin privileges.
    • It is also enabled by default in applications such as HR Service Delivery and Security Incident Response.
    • Additionally, you can enable restricted caller access for Workflow Studio by setting the appropriate system property.
    • Defining Access: Use the Restricted Caller Access Privileges [sysrestrictedcalleraccess] table to create records that specify whether access is permitted or denied between source and target scopes or resources.

    Practical Benefits for ServiceNow Customers

    • Enforces secure, granular control of cross-application resource access to prevent unauthorized data exposure or operations across application boundaries.
    • Provides visibility into cross-scope access attempts, supporting governance and compliance requirements.
    • Enables flexible configuration to accommodate complex application architectures with multiple scopes, helping maintain system integrity and operational security.

    Define cross-scope access to an application, application resource (such as an access control role, a business rule, a UI action, or a script include), or event. You can even use these settings to allow or deny requests for access.

    Restricted caller access privilege settings overview

    Restricted caller access [sys_restricted_caller_access] records track cross-scope applications or scripts that request access to an application, application resource, or event in the ServiceNow AI Platform. The ServiceNow AI Platform creates sys_restricted_caller_access records when one of these actions occurs:

    • Caller access is set to Caller Restriction or Caller Tracking.
    • A cross-scope script attempts to access an application resource or event.
      Note:
      A system scope to target scope is an example of a cross-scope.

    You can use these records to do these tasks:

    • Track cross-scope requests for access to an application resource. You can use access requests to determine which applications need access to resources and data from other application scopes.
    • Approve or deny any cross-scope requests for access to application resources or events. For example, you can create a Restricted Caller Access record to allow access for all scope-to-scope requests.

    For more information, see Requested restricted caller access (RCA).

    Restricted caller access privilege setting combinations

    You can define various combinations of privilege settings for restricted caller access and specify whether access is allowed or restricted for each relationship. This process ensures that your application has the privileges to access the correct scope and not one you don't want to access. You can define various combinations of the following settings:
    Scope
    All application resources in a selected source or target scope. To learn more about application scopes, see Application scope.
    Source
    A specific application resource in a selected source scope.
    Target
    A specific application resource in a selected target scope.
    These restricted caller access privilege settings combinations include, but are not limited to following combinations:
    • Scope-to-scope
    • Scope-to-target
    • Source-to-scope
    • Source-to-target
    Note:
    For more information about these access setting combinations and to learn how to create each combination, see Set the application scope, application resource, and event access.

    Activating application restricted caller access

    You can activate application restricted caller access through one of the following methods:

    • Activate the Scoped Application Restricted Caller Access plugin (com.glide.scope.access.restricted_caller).
    • Request the HR Service Delivery or Security Incident Response applications. By default, restricted caller access is active in these applications.
    • Enable the Restricted Caller Access system property for Workflow Studio.

    For more information, see: Activate application restricted caller access.