System Table Application Access for Service Graph ConnectorsIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } While configuring the SolarWinds Service Graph Connector via Guided Setup, one of the prerequisite steps requires enabling Application Access on the "sys_variable_value" table to allow Create, Update, and Delete operations. The instructions explicitly direct modifying the table’s Application Access settings rather than creating explicit cross-scope privileges.This raises a design and security question regarding scope isolation and least-privilege enforcement.Expectation would be that the connector instead relies on explicit cross-scope privileges ("sys_scope_privilege") granting only the SolarWinds connector scope permission to perform the required operations against "sys_variable_value". Here are follow up questions:1. Is modifying Application Access on "sys_variable_value" the intended and required architectural approach for Service Graph Connectors, or is there a supported alternative using explicit cross-scope privileges instead?2. Does the SolarWinds Service Graph Connector rely on IntegrationHub or runtime execution contexts that require broader table-level Application Access rather than scope-specific privileges?3. If explicit cross-scope privileges were configured instead, would the connector function correctly, or are there platform limitations that prevent this approach?4. After initial connector setup is complete, is it supported or recommended to revert the broader Application Access settings and rely solely on the explicitly granted scope privileges?5. Are there any documented security or hardening best practices specific to Service Graph Connector integrations regarding Application Access and scoped privilege management? Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } any Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Q1. Is modifying Application Access on "sys_variable_value" the intended and required architectural approach for Service Graph Connectors, or is there a supported alternative using explicit cross-scope privileges instead? A1. Providing Application Access on the "sys_variable_value" table is not strictly required unless you are creating a new (or multiple) connections. The connector only needs to create/update "sys_variable_value" records during the initial connection creation. If you are not creating a new connection, this additional access is not necessary. Q2. Does the SolarWinds Service Graph Connector rely on IntegrationHub or runtime execution contexts that require broader table-level Application Access rather than scope-specific privileges? A2. Yes. Service Graph Connectors execute through IntegrationHub, Scheduled Imports, and system-owned Script Includes, which often run in: System scope Global context Background/scheduled execution contexts ServiceNow KBs confirm that scheduled imports and runtime execution frequently ignore or bypass scoped caller identity, instead enforcing table-level Application Access. Q3. If explicit cross-scope privileges were configured instead, would the connector function correctly, or are there platform limitations that prevent this approach? A3. Regarding architecture, using explicit cross-scope privileges should also work in principle. The instruction to modify Application Access is more of a deployment convenience and has been there from quite a long time. It is not specifically tied to IntegrationHub runtime requirements; rather, it simplifies record creation during connection setup. Q4. After initial connector setup is complete, is it supported or recommended to revert the broader Application Access settings and rely solely on the explicitly granted scope privileges? A4. If access was granted only for setup, it is fine to revert it back after the connection records are created and the connector is configured Q5. Are there any documented security or hardening best practices specific to Service Graph Connector integrations regarding Application Access and scoped privilege management? A4. ServiceNow does not currently publish a best‑practice that recommends replacing Application Access with cross‑scope privileges for SGCs. If you prefer stricter least-privilege enforcement, you can test by granting explicit cross-scope privileges (instead of broad table Application Access) in a non-production environment. If the SolarWinds connector is able to create and manage the required records successfully, the same approach can be followed in production. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Securing an application using Cross Scope Access, Application Access Settings & Restrict Table Choices