Data Filtration - Excluded Tables

Mathew Hillyard · ‎06-16-2023

I'm evaluating the Data Filtration plugin (on a Tokyo and also a Utah instance) to see whether it can take the place of ACLs for simple read access that's easier to manage. I seem to have hit a brick will with the Data Filtration record. The "Table" field has filtering applied to it via an attribute that calls Script Include DataFiltrationTableList, whose process() function in turn calls an inaccessible Script Include (DataFilterTableChoiceList) and itself read-only. This is annoying as there is no way to know which tables are excluded.

Of course I can delete the attribute but that is dangerous as I have no idea what the script includes are actually doing, and the attribute could get re-created at upgrade time. I did try deleting the attribute and I can then pick a table that was previously excluded (e.g. Attachment [sys_attachment]), but it's not a workable solution.

It's not beyond the realms of possibility that in certain circumstances you may want to limit access to attachments based on some context, and it can of course be done with ACLs but I'd prefer to use something lower-code. The documentation mentions nothing about allowed tables, and it is not in the list of Table Exclusion [sys_df_table_exclusion] records (nor does the documentation mention Table Exclusions).

Any ideas?

Ratnakar7 · ‎06-19-2023

Hi @Mathew Hillyard ,

The issue you described with inaccessible script includes and the lack of visibility into excluded tables can indeed pose challenges. Here are a few suggestions to address your concerns:

Review the Plugin Documentation: While the documentation may not explicitly mention the allowed tables or provide details on table exclusions, it's still a valuable resource to understand the overall functionality and configuration options of the Data Filtration plugin. Review the available documentation to gather insights and gain a better understanding of the plugin's capabilities.
Reach out to ServiceNow Support: If you're experiencing difficulties with the plugin or need clarification on certain aspects, it's recommended to reach out to ServiceNow Support. They can provide assistance, insights, and guidance on working with the Data Filtration plugin, including any issues you encounter.
Experiment with Customization: Depending on your requirements, you can explore customization options to achieve the desired access restrictions. This could involve building your own solution using ACLs or utilizing other ServiceNow features such as record rules, dynamic filters, or business rules to manage read access.
Consider Alternative Solutions: If the Data Filtration plugin does not meet your specific needs, you may need to explore alternative solutions. This could involve evaluating other plugins, developing custom applications, or leveraging different ServiceNow features that provide the level of control and simplicity you require.

When evaluating any plugin or solution, it's important to assess its suitability for your specific use case, consider the pros and cons, and ensure it aligns with your long-term requirements.

Thanks,

Ratnakar

Mathew Hillyard · ‎06-19-2023

Thanks for your reply.

I'm fully aware of what to do when evaluating a plugin, how to contact Support, what alternatives are available and in my post have already indicated the documentation contains no information.

If anyone has any actual experience with this plugin then feel free to drop a comment; failing that I will of course reach out to my contacts within ServiceNow to see whether this is by design for an as-yet unknown architectural reason, or a source of potential improvement if is unintentional

Kallesh21 · ‎10-31-2023

Hi Mathew ,

Did you find out anything more on this topic, we have a similar requirement to have data filtration on sys_attachment table

Mathew Hillyard · ‎11-02-2023

Nothing more so far. I haven't yet checked whether there are any changes in Vancouver; if not I may ask my contacts at ServiceNow whether there is a specific design reason why the attachment table is excluded.

One other tip: if using Workspaces, don't rely on before query business rules to filter out data as Workspace elements like the sidebar go via a dedicated API and bypass BQBRs, so you will need ACLs or similar to secure attachments.