We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

How to restrict a report data to only assigned to user except few individuals?

The Matrix
Tera Contributor

Hi all,
I have created a report on the asmt_assessment_instance_question table. My requirement is to restrict report visibility so that users can view only the records assigned to them. However, a few specific users should be granted access to view all records.

What would be the best approach to implement this requirement?

2 REPLIES 2

Chaitanya ILCR
Giga Patron

Hi @The Matrix ,

 

you can create ACLs read for read restrictions. if you just want restrictions on the reports use "report view" operation and create the acl.

you can also use the query BR.

 

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

Vikram Reddy
Tera Guru

Hi @The Matrix,

 

I'm assuming you need actual row-level filtering on the data, not just control over who's allowed to open the report, because those are two separate mechanisms in ServiceNow and it's easy to reach for the wrong one.

Rule out report_view ACLs first. Those are the ACLs that govern visibility of a report or a field inside report_view context, and they only support role-based restrictions, no scripts, no advanced conditions. So you literally cannot express "assigned to me except these five people" inside one. What you actually want is a Security Data Filter (the feature that replaced the older Data Filtration plugin, com.glide.data_filtration, in earlier releases) applied on the table itself. That enforces the restriction everywhere the table is queried, lists, reports, exports, not just this one report.

Before you configure it, a few things worth checking specifically on this table:

  • assigned_to doesn't actually sit on asmt_assessment_instance_question, it lives on the parent asmt_assessment_instance table and gets reached through the instance reference field, so your filter condition needs to target instance.assigned_to, not a field on the question table itself.
  • dot-walked fields off instance have known display quirks on this table (instance.trigger_id, for example, doesn't reliably show in list view even when added as a column), so verify your condition actually filters a real list, don't trust the filter builder preview alone.
  • Security Attribute Condition is how you carve out the exception users. Set the filter mode so it applies unless the attribute condition is met, and back that attribute with a role assigned only to the handful of people who need to see everything.
  • Impersonate a restricted user and an exception user once it's built, admins bypass most of this by default so testing as yourself proves nothing.

If restricted users start seeing a "Rows removed by security constraints" note on the report, that's the filter doing exactly what it's supposed to, not a bug you need to chase down.

 

Thank you,
Vikram Karety
Octigo Solutions INC