Loading...
Loading...
Unable to track Restricted Caller Access source from Flows. Please note: On fixed versions of PRB1496336 you need to create the property com.glide.hub.flow.restricted_caller_access.track_flows_as_source and set it to true to enable flows to be a source for Restricted Caller Access
Attached update set with the flows below set up as Create Record Flow (steps 4-8) and Script Action Flow (steps 18-21) 1. Create a new custom application 2. Create a new table in the application. Set `Caller Access` to Caller Restriction. Check `Can Create/Delete/Update` (leave `Accessible from` to All application scopes) 3. Change session scope back to Global 4. Open Flow Designer and click New -> Flow to create a new global Flow 5. Add a Trigger such as creating a record in the Incident table 6. Add a new Action and select 'Create Record' 7. Set action's table to your new custom table created in step 2 8. Save your flow and click 'Test' 9. When finished, open the execution details. There should be an error that the flow couldn't access the table and in the logs a message similiar to "SEVERE *** ERROR *** Source descriptor is empty while recording access for table sn_def0209250_app_test_table" 10. Open the Restricted Caller Access Priviledges table (sys_restricted_caller_access) and note that there is no requested record for the flow to access the table Expected: An RCA record should have been generated for access to the custom table 11. Open Flow Designer 12. Click New -> Action 13. Add a name for the action and leave scope as Global 14. From the Action Outline, click the + button 15. Scroll to Utilities section and select Script 16. Add a simple script that inserts to the protected table (function execute(inputs, outputs) { var gr = new GlideRecord('sn_def0209250_app_test_table'); gr.insert(); })(inputs, outputs); 17. Click the Publish button 18. Click the + button in the tab section of Flow Designer and then select Flow to add a new flow 19. Add a trigger, such as inserting a new record into the Incident table 20. Add a new action and select the script action you created in step 12 [will be under Global -> Default] 21. Click Test for the flow 22. In Execution Details, open the logs for the custom action and note there is a log similar to "Source descriptor is empty while recording access for table sn_def0209250_app_test_table" 23. Open the Restricted Caller Access Priviledges table (sys_restricted_caller_access) and note that there is no requested record for the flow to access the table Expected: An RCA record should have been generated for access to the custom table
Tested two workarounds: 1) Trigger the flow through a business rule/script include/scheduled job instead of the built-in Trigger types. The RCA record will generate using the trigger BR/job. 2) Adjust an action that is using a protected table/resource and move it into a Script Include that is called from a custom Script action. (It won’t work if the script is written inside the Script action so it will need to call a Script Include that holds the actual functionality). The RCA record will generate using the Script Include Option 1 is easier to set up and allows someone to keep building the flow easily through the Flow Designer UI. Option 2 could provide some additional security to the restricted app (if someone changes the functionality of the Script Include, the RCA record will be invalidated whereas someone can do whatever they want in the flow to the protected table) but removes all the ease from using Flow Designer UI. Option 1 comes with caveat, once customer are on this patch and they decide to enable this feature then customer need to revisit their approved RCA record.
PRB1496336
Click on a version to see all relevant bugs
ServiceNow Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.