I'm evaluating the Data Filtration plugin (on a Tokyo and also a Utah instance) to see whether it can take the place of ACLs for simple read access that's easier to manage. I seem to have hit a brick will with the Data Filtration record. The "Table" field has filtering applied to it via an attribute that calls Script Include DataFiltrationTableList, whose process() function in turn calls an inaccessible Script Include (DataFilterTableChoiceList) and itself read-only. This is annoying as there is no way to know which tables are excluded.

Of course I can delete the attribute but that is dangerous as I have no idea what the script includes are actually doing, and the attribute could get re-created at upgrade time. I did try deleting the attribute and I can then pick a table that was previously excluded (e.g. Attachment [sys_attachment]), but it's not a workable solution.

It's not beyond the realms of possibility that in certain circumstances you may want to limit access to attachments based on some context, and it can of course be done with ACLs but I'd prefer to use something lower-code. The documentation mentions nothing about allowed tables, and it is not in the list of Table Exclusion [sys_df_table_exclusion] records (nor does the documentation mention Table Exclusions).

Any ideas?