top of page

Experiencing challenges with ServiceNow support?

IKC provides professional, reliable assistance that covers gaps not supported by ServiceNow

and without the high costs of traditional services.

 

Starting from just $1,080 per month

Search

Resolving the "cross-scope access" Error




ServiceNow's application scoping provides a robust way to manage and protect custom development efforts. However, when working with scoped applications, you might encounter the error message: "Write operation from scope 'rhino.global' has been refused due to the table's cross-scope access policy." This error arises when a script running in one application scope (often the Global scope) attempts to modify data in a table belonging to a different scope, and the necessary permissions are not in place. This article will guide you through understanding this error and provide practical steps to resolve it, ensuring smooth operation between your ServiceNow applications.


The "Write operation from scope 'rhino.global' has been refused..." error is a security mechanism in ServiceNow designed to prevent unintended data modification between different application scopes. When your script, operating within a specific scope (like Global), tries to write (create, update, or delete) a record in a table that resides in another scope, ServiceNow checks if there's an explicit permission allowing this cross-scope interaction. If not, the operation is blocked, and you see this error.


Unraveling the Common Causes


Several reasons can lead to this error, even when you believe the configurations are correct:

  • Missing or Incorrect Cross-Scope Privileges: The most frequent cause is the absence or misconfiguration of Cross-Scope Privilege records. These records explicitly grant permission for a specific scope to perform certain operations (like write) on resources (like tables) in another scope. If a write privilege from the 'rhino.global' scope (or the scope your script is running in) to the target table's scope is missing or incorrectly set up, the error will occur.


  • Restrictive Application Access Settings: Each table in ServiceNow has "Application Access" settings that control which scopes can access it. Even if you have a Cross-Scope Privilege in place, if the target table's Application Access settings do not allow write operations from other applications, the write will be refused. Specifically, ensure the "Can create" and "Can update" checkboxes are selected for "Access from other applications."


  • The Mystery of Caching: Sometimes, even after you've configured the necessary Cross-Scope Privileges and Application Access settings, the changes might not take effect immediately due to caching within the ServiceNow instance.


  • Update Scope Anomalies: In some peculiar cases, the actual update record of your Cross-Scope Privilege might have inadvertently been saved in the Global scope, even if the privilege record itself shows the correct scope. This can lead to the privilege not being correctly applied.


Your Toolkit for Resolving the Error


Here's a step-by-step approach to troubleshoot and fix the "Write operation refused" error:

  1. Examine Cross-Scope Privileges: Navigate to System Security > Cross-Scope Access. Filter or search for records where the "Source scope" is 'Global' (or the scope of your script) and the "Target scope" is the scope of the table you are trying to write to. Ensure a record exists with the "Operation" set to "write" and the "Target name" pointing to the specific table. If it's missing, create a new one. If it exists, double-check that all the details are correct.


  2. Review Application Access Settings: Go to System Definition > Tables and open the record for the table mentioned in the error. In the "Application Access" section, verify that both "Can create" and "Can update" are checked under the "Access from other applications" heading. If not, check these boxes and save the record.


  3. Investigate the Update Scope: For the relevant Cross-Scope Privilege record, click the three dots in the header (context menu) and select "Show Latest Update." Examine the "Application" field on the update record. If it's unexpectedly set to 'Global', you might need to delete the Cross-Scope Privilege record and recreate it within the correct application scope.


  4. Try a Re-creation: Sometimes, even if the update scope appears correct, deleting the problematic Cross-Scope Privilege record and creating a fresh one with the exact same settings can resolve the issue.


  5. Clear the ServiceNow Cache: Caching can sometimes hold onto old configurations. Try clearing the ServiceNow cache using one of these methods:

    Run the following in a "Scripts - Background" window (ensure you understand the impact of running scripts in the background):

    JavaScript

GlideTableManager.invalidateTable('<your_table_name>'); GlideCacheManager.flushTable('<your_table_name>');

Replace <your_table_name> with the name of the table causing the issue.

Alternatively, try running:

JavaScript

gs.invalidateCache();

in "Scripts - Background".


You can also try navigating to /cache.do in your browser and clicking the "Flush

cache" button.


Consider a Script Include Workaround 


If you continue to face issues, a potential workaround is to create a Script Include within the scope of the target table. This Script Include would contain the logic to perform the write operation. Then, you can create a Cross-Scope Privilege that allows your original scope (e.g., Global) to execute this Script Include. This shifts the write operation to the correct scope.


Practical Scenarios Where This Error Might Occur


  • A custom Service Portal widget (often running in the Global scope) attempting to submit data to a table within a scoped service catalog application.

  • A scheduled job or a business rule in the Global scope trying to update records in a custom application's tables.

  • Integration scripts running in the Global scope needing to interact with data managed by a scoped application.


Alternative Approaches


While Cross-Scope Privileges are the standard way to handle these interactions, it's worth considering if the operation could be redesigned to occur within the target scope itself. For example, instead of a Global scope script writing to a scoped table, could the logic be moved to a business rule within the scoped application that triggers based on an event in the Global scope? This can sometimes simplify the architecture and reduce the need for extensive cross-scope permissions.


Conclusion


The "Write operation from scope 'rhino.global' has been refused..." error is a common challenge when working with scoped applications in ServiceNow. By understanding the underlying security mechanisms and systematically checking your Cross-Scope Privileges, Application Access settings, and considering potential caching issues, you can effectively troubleshoot and resolve this error. Remember to always grant the least privilege necessary for cross-scope interactions to maintain the security and integrity of your ServiceNow instance. The next time you encounter this message, take a methodical approach, review your configurations, and leverage the troubleshooting steps outlined in this article to ensure your applications work seamlessly together.

Experiencing challenges with ServiceNow support?

IKC provides professional, reliable assistance that covers gaps not supported by ServiceNow

and without the high costs of traditional services.

 

Starting from just $1,080 per month

CONTACT

New Zealand HQ

Integrated Knowledge Consulting Office

Level 3, 93 Grafton Road

Auckland

South Korea

Integrated Knowledge Consulting Office

BMY역삼타워 6층

서울특별시 강남구 역삼동 678-10번지

 

info@ikconsulting.com

Thanks for submitting!

  • LinkedIn Social Icon

© Copyright 2025 Integrated Knowledge Consulting. All rights reserved.

bottom of page