The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Data Filtration in Servicenow ? vs ACL | Step by Step Guide and its Advantages

Sohail Khilji
Kilo Patron
Kilo Patron

on ‎08-21-2024 01:38 AM

Data Filtration in Servicenow ? vs ACL  | Data Filtration v/s ALC what the difference ?

 

What's & Why's of Data Filtration ?

 

Access Control Lists (ACLs) are an important piece of the puzzle for ensuring data security and preventing access to those who should not have access to it.

 

It restricts access to data by requiring users to meet a set of criteria before interacting with it.

Every Access Control List rule specifies:

  • The table/data being secured.
  • The permissions/roles required to access the table/data.

However, ACLs can be a bit confusing at times, and we end up with a huge mess of hierarchical rules that are difficult to debug and can cause problems.

 

Fortunately, with the Tokyo release, ServiceNow has provided us with a new tool in our environment called Data Filtration that allows us to build out security rules more easily and quickly. Data Filtration simplifies certain requirements while also providing more granular access and security.

 

Steps on How to create Data Filtration in Servicenow :

 

Step 1 : Install plugin > Plugin id: com.glide.data_filtration (Available on PDI too)

 

SohailKhilji_0-1724144824452.png

 

Step2 : Search for 'data filtration' from left navigation bar.

SohailKhilji_1-1724145016430.png

 

 

Here is what you get to see, lets understand them in some simple terms.

 

Types of Data Filtration in Servicenow :

 

  • Data filtration records : Data Filtration Records deny access to table/records 
  • IP filter criteria : This allows you to filter IPs based on users IP Address.  (config auth policy)
  • Role filter criteria : This will allow to create filter criteria based on user roles.
  • Group filter criteria :  This will allow to create filter criteria based on user groups to which they belong.
  • Subject criteria : This allows you to narrow down the filter based on IP,group,role, etc... (remember how you create user criteria for catalog items ? )
  • Table exclusions : Used to exclude any table.
  • Location & more...

 

Step3:

Before you get started, make sure you have security_admin role on your user account and elevate the roles.

 

SohailKhilji_0-1724156198112.png

Step 4 :

Click on 'Data filtration record' module and click on new.

 

Step 5: 

Provide name : provide a name to data filter as per need.

Description : <define a short description>

Subject condition : (Users that do not satisfy the Security Attributes or the Subject Conditions will be denied access to records matching this Data Filter). Eg : Subject group is > Service desk. hence, here your defining a filter for a service desk group, we still have not defined any conditions here we have just define that that is going to be a data filtration happening based on 'service desk group'

 

SohailKhilji_3-1724156852994.png

 

Step 6: New , we need to define 'security attribute condition'.

 

So what does it mean ?

 

Well sometimes its important to mention or update this section, the "Security Attribute Condition" allows us to use other "ad hoc" (if local) or existing conditions, such as "Has Admin Role" or "Logged In" etc.... Click on the condition to explore more. You can also create your own scripted one.

 

For this example sake, ill ignore it....

 

Step 7:

Save the record, user preview button to review no of records matching your condition and filter. 

Navigate to incident table and with assignment group field search for *desk or *service desk to see if there are any records shown with service desk group.

SohailKhilji_5-1724158137643.png

 

So this is how you use data filtration to deny access to records. 

 

Benefits of using Data Filtration in servicenow :

  • Data Filtration works in relation with ACLs in service-now, but they are executed BEFORE the ACLs are executed
  • ACL  works on 'grant’ principle and data filtration works on ‘deny’ principle. By configuring the rules, your instance denies access to records unless they meet the Data Filtration conditions.
  • Data Filtration occurs ''After'' the ‘before-query’ business rules have been applied.
  • Data Filtration supports session debugging to determine which Data Filtration records apply to a given query. Administrators can use this data to troubleshoot user access to records.
  • Data filtration is low code solution and much more compatible with auditing needs.

 

 

If you find the article to be useful or effective for your knowledge Kindly Consider Marking the article HELPFUL and BOOKMARK if for your future use...

 

 

< Previous Post                                                             Next Post >

 

           <<<  Top Articles  >>>

  1. ServiceNow Integration with Splunk
  2. LDAP Integration with ServiceNow
  3. ServiceNow Integration with Veeam
  4. Handling ServiceNow flow errors with a flow
  5. Show parent child incident relationships - display in field message
  6. ServiceNow SSO Logout Error (redirects to logout page) – Reason, Fixes and Cause.
  7. Multi Row Variable set ServiceNow MRVS - Creating - Scripting - Example - Limits
  8. ServiceNow Integration with MAC vendor - Get Mac vendor for the given MAC Address.
  9. How to find Log4j vulnerable severs in ServiceNow Using CMDB Query Builder (SecOps) 
  10. How to Cancel a Long-Running Transaction ServiceNow
  11. Hidden Features for System Administrators
  12. Servicenow RPA - Understanding Attended / Unattended / Skilled Automation Bots
  13. Servicenow vCenter Discovery | Step by step Discovering VMware using vCenter Discovery. 
  14. Set Discovery Schedule name to CMDB Record (via Discovery) 
  15. Step by Step - How to discover Linux Servers in ServiceNow 
  16. How to Generate PDF from UI action. 
  17. Servicenow Discovery Implementaion Requirement Gathering & Pre-requisites.

 

 

SohailKhilji_0-1724158707827.jpeg

 

MF Sohail Khilji | Servicenow Developer /  Consultant.

Connect On LinkedIn >   https://www.linkedin.com/in/mf-sohail-khilji/

 

 

 

 

  • 4,834 Views
Comments
Jorn van Beek
Tera Guru
‎08-22-2024 04:46 AM

Data filtration is a new tool to maintain access. It is a very powerfull tool if used correctly. In my experience it is also a very complex tool to use. Mainly due to how 2 data filtration rules work together, compaired to how 2 ACLS would work together. You will need a different mindset to maintain both.

 

Then ofcourse we got the new ACL types of ServiceNow. and for me the question becomes even more should we use different tools to maintain security. The posiblity of have a security gap when using 2 tools is bigger then just 1, since you really need a good understanding where the one stops and the other starts.

 

On top of that all, there are some points that to be addressed before I would advice to use data filtration. (note: I havent validated the last update notes if they are resolved)

 

  • Data filtration runs after database query. (I know it was planned to run before)
    This means the system still retrieves all the unwanted records. Does not speed up querying. but for me more important, it does not solve 'records hidden by security contrains' error message.
    In these cases I still rather use a query business rule which 1 enhances the query that only the applicable records are being queried and solves the error message.
  • Data filtration rules are not dynamic.
    You cannot make rules as for example you can only see records assigned to your group. Unless you create a hardcoded rule per group ofcourse but who wants to maintain suchs a mess.
Mike R1
Tera Contributor
‎03-21-2025 08:05 AM

With Data Filtration being planned for deprecation already. Has anyone heard what ServiceNow plans to roll out in its place? 

MikeR1_0-1742569393886.png

Pretty short shelf life for something that seemed to have a lot of promise and many use cases. Hopefully whatever they are planning as a replacement is robust and easy to use.

0 Helpfuls
DineshSankar
Tera Contributor
‎03-24-2025 02:45 AM

@Mike R1 I thought it is now replaced by security data filter ? 
Security data filters

Jorn van Beek
Tera Guru
‎03-24-2025 03:34 AM

Looks like those security data filters are not data filtration 2.0 but data filtration 3.0. Looks like they are addressing the issues I have with the OG data filtration.

 

Hope they will replace the query br.

0 Helpfuls
Mike R1
Tera Contributor
‎03-25-2025 09:39 AM

Thank you Dinesh and Jorn,

I was thinking the same thing when I saw Security Data Filters. I was just disappointed that there is so little information about them.  Any kind of confirmation that they are indeed the replacement for the other functionality would have been nice. And anything in addition to the scant 3 pages in the docs would be nice. Hopefully someone from the product team sees this and puts something together.

Dave Vreeland
Tera Contributor
‎04-17-2025 08:25 AM

I'm using Data Filtration, but it appears that they are not being applied to reports.  Is that true? Is there a method to have Data Filtration rules apply to reports?

0 Helpfuls
jparman
Tera Guru
‎05-14-2025 01:31 AM

How do you enable Security Data Filters? Is it free?

0 Helpfuls
Dave Vreeland
Tera Contributor
‎05-30-2025 07:32 AM

I believe it is licensed, so there is a fee....

 

0 Helpfuls
Version history
Last update:
‎08-21-2024 01:38 AM
Updated by:
Kilo Patron
Contributors