Before Query business rules

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Before Query business rules

    Before Query business rules in ServiceNow support data segregation within domain-separated environments by allowing custom filtering of database queries before access control lists (ACLs) are applied. They are used to grant or restrict access to table rows based on domain-specific conditions, user roles, groups, or other record-specific criteria. However, they do not replace the Domain Separation plugin, which provides stronger data leakage protection and more scalable governance.

    Show full answer Show less

    Use Cases

    • When domain separation is not supported by an application but access control is needed for external customers.
    • When domain-separated tables require fine-grained row-level access control within certain domains, such as granting vendors access only to their assigned records.

    Best Practices and Considerations

    • Create Before Query business rules at the lowest applicable domain hierarchy level to limit their scope and improve performance.
    • Always specify conditions for rule execution to avoid unnecessary runs.
    • Limit the use of OR clauses and avoid searching non-indexed fields in these rules to prevent query slowness and performance degradation.
    • Use Before Query business rules sparingly, as excessive use can impact instance performance.
    • Understand that these rules run before ACLs and generally perform better, especially in multi-domain service provider environments.
    • Be cautious when combining Before Query business rules with ACLs, as this can create complex customizations that may cause maintenance challenges and performance issues.
    • Note that some system operations (e.g., transform maps with business rules disabled) may bypass these rules.

    Why It Matters

    Before Query business rules enable customized, domain-aware data filtering that supports complex access scenarios not fully handled by standard domain separation. They help ensure users see only the data they are authorized to access, improving data security and compliance within multi-tenant or service provider instances.

    Domain Separation Plugin

    For robust data segregation, ServiceNow provides a Domain Separation plugin that is maintained and enhanced with platform releases. This plugin offers a scalable and secure framework for domain-based data and logic separation, reducing the need for extensive custom Before Query business rules and ACLs.

    Next Steps for Customers

    • Before implementing Before Query business rules, consult with ServiceNow Customer Support regarding the roadmap and domain separation capabilities of your applications.
    • Evaluate if domain separation plugin functionality meets your data segregation needs before resorting to custom business rules.
    • Follow best practices to design efficient, maintainable Before Query business rules if needed.
    • Monitor performance impacts and maintain clear documentation of customizations involving domain separation.

    You can use a Before Query business rule to help support data segregation on an instance. ServiceNow applications that support domain separation may support the separation of data and data routing only, have advanced business logic separation, or support tenant (customer) level administration of the application.

    A Before Query business rule is supplementary code that you use to support data segregation within domain-separated environments.

    Warning:
    Do not use the Before Query business rule in place of the Domain Separation plugin. This business rule does not prevent data leakage as securely as the plugin.

    Using the Before Query business rule for data segregation

    You can use the Before Query business rule with data segregation in these situations:
    • When domain separation is not supported by a ServiceNow application and you must grant or restrict table or row access to one or more non-internal customers outside of the service provider organization.
      Note:
      Before you begin developing, contact ServiceNow Customer Support about the application roadmap for that product; domain support improvements may be planned for upcoming releases.
    • When a table is domain-separated but access to its rows must be granted or restricted based on certain conditions that apply only to a set of domains in the system.
      Note:
      For example, a customer in the X domain has multiple vendors supporting that domain and those vendors are granted access to see only the records that are assigned to them.

    Points to consider before creating Before Query business rules

    You can script Before Query business rules to prevent parent and child table access based on a combination of user information, group memberships, companies, roles, or record-specific field conditions. Before Query business rules are put into separate domains and created to apply globally, to a specific branch of a domain hierarchy.
    • Where you can, create Before Query business rules at the lowest possible part of the domain hierarchy so that the rule runs only for users that it applies to.
    • Know that there are scenarios in the system where business rules may not run or where a user-triggered interaction may not trigger a business rule to run. For example, a business rule won't run when you have transform maps with Run business rules turned off, or you have scripts with the workflow disabled.
    • Always populate the condition field to specify when the rule runs. For example, you can specify if the business rule applies only to certain vendors in a domain.
      Warning:
      When designing and coding business rules (especially Query business rules), limit OR clauses and searches in non-indexed fields. Too many OR clauses and searches in non-indexed fields can slow queries or affect how your instance performs.

    • Use Before Query business rules only when necessary. Too many Before Query rules can affect how your instance performs.

    Before Query business rules run before access control lists (ACLs) and perform better in general. This is true especially when you limit the returned results to those users in service provider (SP) environments who have access to several domains in the system.
    Note:
    Filtering the data is transparent (unlike with ACLs) to users who do not see the message Data Security restricts…. when interacting with data.

    When not to use Before Query business rules and ACLs

    Be careful when you use Before Query business rules and ACLs to segregate customer data. By using both business rules and ACLs, you create customizations that you then must maintain. Customizations can potentially cause performance issues. Your development teams should create processes to make sure that they don’t break the system.

    Domain separation provides both scalability and governance with the current domain path query method (v3), which is a widely supported framework. The ServiceNow Platform and App teams are responsible for maintaining the framework, taking the burden off the customer.

    For companies with many customers in many instances, excessive use of Before queries and ACLs may cause the database queries not to perform well.

    How domain separation is enabled

    You can enable domain separation with a ServiceNow plugin. A product manager, supported by a development team, manages the functionality. Enhancements and fixes for domain separation functionality are included with ServiceNow releases. Instance owners can consult Customer Service and Support resources, such as the Service Portal, at https://support.servicenow.com for assistance with domain separation.