Exploring Data filtration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Data filtration

    Data filtration in ServiceNow is an optional, administrator-activated feature that controls access to tables and records based on subject attributes during read queries. It functions alongside existing Access Control rules (ACLs) by denying access to records that do not meet defined subject attributes. This feature enhances auditing, reporting, and troubleshooting by restricting data visibility according to user roles, groups, or network attributes.

    Show full answer Show less

    Key Features

    • Data Filters: Grant access based on specific information within table fields to determine record availability.
    • Subject Attribute Based Condition Builder: Evaluate user roles, groups, subject criteria, or IP network addresses to define access conditions.
    • Deny-Based Access Model: Records are denied access unless they fulfill the criteria set by data filtration rules, ensuring strict control.
    • Enforcement Order: Data filtration rules run after the database read query but before ACL evaluation. Records denied by data filtration do not proceed to ACL checks.
    • Reporting Integration: Data filtration and ACLs apply when creating list view reports but do not affect aggregated data reports, which rely on Reportview ACLs.
    • Session Debugging: Allows administrators to trace which data filtration records applied to a user's query, aiding in troubleshooting access issues.

    Components and Configuration

    Data filtration operates through several record types that administrators configure:

    • Data Filtration Records: Define rules combining data filters and subject attribute conditions to limit table and record access for specific users.
    • Subject Criteria Records: Specify user attributes such as roles, groups, or IP addresses used to determine access. Creating these requires setting up criteria input and condition records.
    • Criteria Input Records: Contain lists of user groups, roles, or IP address ranges used for comparison against user attributes.
    • Subject Criteria Condition Records: Define how to compare user attributes with criteria inputs, allowing multiple inputs to refine access control rules.

    Practical Benefits for ServiceNow Customers

    By using data filtration, administrators gain granular control over record visibility based on user-specific attributes, improving security and compliance. The deny-based model ensures that only authorized users can access sensitive records, while session debugging facilitates efficient troubleshooting. Integration with reporting and ACLs provides consistency across data access scenarios, enabling more accurate auditing and reporting within your ServiceNow instance.

    Use Data filtration to control access to tables and records based on subject attributes when performing read queries.

    Data filtration is a separate form of access control designed to work along with the existing Access Control rules (ACLs) on your instance. Data filtration denies access to tables and records that do not match subject attributes defined by an administrator. Data filtration is designed to make auditing, reporting, and troubleshooting easier.

    This is an optional feature that administrators can activate on their instance.

    Data filtration features

    Data Filters
    Use data filters to grant access based on information within a record. Data filters use data in a tables field to determine whether a record is available to your users.
    Subject attribute based condition builder
    Use subject attributes to evaluate user role, group, subject criteria, or IP network address.
    Data filtration uses a deny based model
    Data filtration uses a deny based model to control access to records. With Data filtration, your instance denies access to records unless a record meets the criteria defined by Data filtration.
    Data filtration enforcement
    Data filtration rules run after the database query for read operations and are evaluated before ACLs. A record denied by any Data filtration rule will not proceed and be evaluated by ACL rules. Data filtration rule enforcement is consistent with that of read ACLs.
    Data filtration and reporting

    Data filtration and ACL's are both applied only when creating list view reports. Reporting does not apply access control when collecting aggregated data. In this case, neither Data filtration nor ACLs are checked.

    For aggregated reports, Data filtration works in conjunction with existing Report_view access control list behaviors. See Report_view access control for further details on configuring these report controls.

    Session debugging
    Data filtration supports session debugging. Use session debugging to see which Data filtration records apply for a given query. Admins can use this information to troubleshoot user access to records.

    Components of Data filtration

    Data filtration works using the following record types:
    Data filtration records
    Create a Data filtration [sys_df_data_filtration] record to grant table access on your instance. The Data filtration record contains the Data filter and Subject attribute conditions described above to limit the scope of the rule and the affected users.
    Subject criteria records
    Subject criteria [sys_df_subject_criteria] records represent specific user attributes you can use to determine whether to grant access with a Data filtration rule. These attributes can be a user's groups, roles, or IP address. To create a subject criteria, you must create the subject criteria record, as well as criteria input and criteria conditions records. For details on this process, see Creating subject criteria.
    After creating a subject criteria records, you can apply them to a rule. This is done on the Subject Condition tab of your Data filtration rule.
    Criteria input records examples
    Figure 1. Example criteria input for all roles containing admin
    Example criteria input for all roles containing admin
    Criteria inputs [sys_df_subject_filter_criteria_m2m] are records that contain criteria to compare with the user. This can be a list of user groups or roles, an IP address range, or an IP address subnet. These records are used along with subject criteria condition records to evaluate against a user's groups, roles, or IP address to determine access to a table or it's records.
    Subject criteria condition records
    Figure 2. Example criteria condition using the Admins Only criteria input
    Example criteria condition using the Admins Only criteria input
    Use subject criteria condition [sys_df_subject_criteria_condition] records to define how to compare user attributes with the roles, groups, or IP addresses defined in you criteria inputs. You can use multiple criteria inputs in a single subject criteria condition to further narrow down access to your records.