Own Recover Connect App Installation

Remove the Pilot components if necessary:

1. Set the following Pilot components to "active = false":
   1. The Scripted REST API [sys_ws_definition] "OwnBackup Extract API". 
   2. The Scripted REST Resources [sys_ws_operation] "Extract Table Data". 
   3. The Scripted REST Resources [sys_ws_operation] "Information". 
2. Or delete the Scripted REST [sys_ws_definition] "OwnBackup Extract API".
   1. This deletes the associated API endpoints and filter parameters.

App Installation:

1. Click “Request App” on the ServiceNow Store listing:

2. The request is routed to Own’s ServiceNow Store account for approval.

3. Once approved, install the app in the ServiceNow instance by:

   1. Navigate to All > System Applications > All Available Applications > All.

   2. Find the application using the filter criteria and search bar.

   3. Select a version from the list and select Install.

App Configuration:

If the Backup Service is configured with:

• Basic Auth: Assign the app's admin role x_owba_connect.x_owba_extract.admin to the Own user (in addition to admin).
• OAuth: Assign the app’s admin role x_owba_connect.x_owba_extract.admin to the Own user (in addition to admin) who allows the Oauth connection in Step 6 here.

Own Recover Connect is a custom application that requires Cross Scope Privilege [sys_scope_privilege] and Restricted Caller Access [sys_restricted_caller_access] records to read data from other application scopes. Scoped applications have default application and table restrictions that prevent other scopes from accessing them unless one explicitly grants access.

Due to security concerns, ServiceNow does not allow us to bundle these records in our application. They want ServiceNow admins to acknowledge that these records are required by creating them manually, via script, or importing them via XML.

Own provides Cross Scope Privilege records for all out of box applications & tables (see next step). For every additional application, each table within that application requires the creation of a Cross Scope Privilege. If an application [sys_store_app] has the “Runtime Access Tracking” field set to “Tracking” or “Enforced”, a Cross Scope Privilege is required. If an application [sys_store_app] has the “Runtime Access Tracking” field set to “None” and the “Caller Access” field on the table is set to “Caller Restriction” or “Caller Tracking”, a Restricted Caller Access record is required. 

1. To start, in the ServiceNow instance, switch to the Own Recover Connect scope. The following link contains an XML of cross scope privileges you need to import for all the out of box applications/tables:

2. Once the Cross Scope Privilege records are created in ServiceNow, navigate to the Own Platform. In the Service Options, set the API Version to “Own Recover Connect”.

3. Run an on-demand backup or let the next scheduled backup run.

4. Additional applications beyond the out of box applications require their own Cross Scope Privileges. The Own platform returns 500 errors for every table within those applications that require additional privileges.

Creating Cross Scope Privileges:

1. Copy the list of tables with 500 errors into a text editor, such as Sublime Text. Format the tables so each table has its own line:
2. In ServiceNow, navigate to the Cross Scope Privileges table [sys_scope_privilege]. Own checks if these tables have Cross Scope Privilege records. Create the following filter:

3. The filter returns 0 results or some results.

   1. If there are Cross Scope Privilege records already created, additional Restricted Caller Access [sys_restricted_caller_access] records must be created (Step 8).

4. To create the missing Cross Scope Privileges, format the list generated in Step 1 as so:

   1. Using a text editor:

      1. Move the cursor to the beginning of each row.

      2. Add a quotation mark (").

      3. Move the cursor to the end of each row.

      4. Add a quotation mark and comma (",).

5. Then add the list to the following script:

//Script to get Table Names and Application Scope sys_id

var tables_arr = [
"alm_transfer_order_line_subtask",
"alm_transfer_order_line_task",
"...",
];

for (var i = 0; i < tables_arr.length; i++) {
    var grGetTableInfo = new GlideRecord('sys_db_object');
    grGetTableInfo.addQuery('name', tables_arr[i]);
    grGetTableInfo.query();
    if(grGetTableInfo.next()){
        gs.print('\n' + grGetTableInfo.getValue('name') + ':' + grGetTableInfo.getValue('sys_scope') + '\n');
    } else {
        gs.print('error');
    }
}

6. Run this script as a Background Script. This returns an execution history which needs to be downloaded.
7. From that result, remove the lines containing “*** Script:” and format the list of tables names to match the following:
8. Then add the list to the following script:

// Script to create cross-scope privilege records for a given table name and application scope

var records = [
    "aw_record_type_selector:06e4ef0d87130300ada4046787cb0b08",
    "sn_publications_workflow_config:0fdd6483d72302004f1e82285e61033a",
    "...",
     // Target Table Name and Target Scope sys_id separated by a Colon (:)
];
var totalCreated = 0;
var ownRecoverConnectScopeId = "c561b5ff876361907dcf84c7dabb35b0"; //Own Recover Connect Scope ID for sys_scope and source_scope
records.forEach(function(record) {
    var [targetName, targetScope] = record.split(":");
    var privilegeRecord = new GlideRecord("sys_scope_privilege");
    privilegeRecord.initialize();
    privilegeRecord.operation = "read";
    privilegeRecord.sys_scope = ownRecoverConnectScopeId;
    privilegeRecord.status = "allowed";
    privilegeRecord.source_scope = ownRecoverConnectScopeId;
    privilegeRecord.target_type = "sys_db_object";
    privilegeRecord.target_name = targetName; // Target Table Name
    privilegeRecord.target_scope = targetScope; // Target Scope sys_id
    var newRecordSysID = privilegeRecord.insert();
    if (newRecordSysID) {
        gs.info("New privilege record created with sys_id: " + newRecordSysID);
        totalCreated++;
    } else {
        gs.error("Failed to create the new privilege record for " + targetName);
    }
});
gs.info("Total Records Created: " + totalCreated);

9. Run this script as a Background Script.

10. Revisit the Cross Scope Privileges table [sys_scope_privilege] with the filter described in Step 2. The missing records are now created.

11. Run an on-demand backup or let the next scheduled backup run.

12. Any remaining tables with 500 errors need Restricted Caller Access [sys_restricted_caller_access] records created.

Creating Restricted Caller Access:

These must be created manually and can’t be automated at this time. For example, the following tables need Restricted Caller Access records:

1. Copy the list of tables from the Own UI.

2. In ServiceNow, navigate to [sys_db_object] and create the following filter:

   Remove the “and” between the last table at the bottom of the list.

3. The results show all the application scopes that require Restricted Caller Access Records. Group by Application and take note of these.

4. In a new ServiceNow tab, navigate to System Applications > Application Restricted Caller Access [sys_restricted_caller_access].

5. Set the application picker to the first application scope you plan to create. For example, the first application in the image above needs to create the Restricted Caller Access in the Templated Snippets application scope:

6. Click “New” and set the following:

7. Repeat Steps 4 & 5 for each application from Step 3.

8. Run an on-demand backup for the tables with 500 errors or let the next scheduled backup run.

9. The tables backup without any errors.