Exploring Data filtration

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Data filtration

    Data filtration in ServiceNow Yokohama release enables administrators to control access to tables and records based on user subject attributes during read queries. It complements existing Access Control rules (ACLs) by denying access to records that do not meet defined subject criteria, enhancing security and simplifying auditing, reporting, and troubleshooting. This feature is optional and can be activated as needed.

    Show full answer Show less

    Key Features

    • Data Filters: Grant access based on values within a record’s fields to control visibility.
    • Subject Attribute Based Condition Builder: Use user attributes such as roles, groups, or IP addresses to define access criteria.
    • Deny-Based Model: Access is denied by default unless records meet the filtration criteria.
    • Enforcement Order: Data filtration rules are applied after database queries but before ACLs for read operations. Records denied by Data filtration do not proceed to ACL evaluation.
    • Reporting Behavior: Both Data filtration and ACLs apply to list view reports, but aggregated reports bypass these controls. Data filtration integrates with existing Reportview ACLs for reporting security.
    • Session Debugging: Supports debugging to identify which Data filtration rules apply to queries, aiding administrators in troubleshooting access issues.

    Components and Configuration

    • Data Filtration Records: Define table access rules combining Data filters and Subject attribute conditions to specify affected users and data scope.
    • Subject Criteria Records: Represent user attributes such as groups, roles, or IP addresses used to grant access. Creating these involves setting up criteria input and condition records.
    • Criteria Input Records: Contain specific attributes like lists of roles or IP ranges against which user attributes are compared.
    • Subject Criteria Condition Records: Define how the comparison between user attributes and criteria inputs is performed and can combine multiple inputs to refine access control.

    Practical Benefits for ServiceNow Customers

    Activating Data filtration allows ServiceNow administrators to implement granular, attribute-based access controls that go beyond traditional ACLs. This improves data security by ensuring users only access relevant records, streamlines compliance and auditing processes, and enhances troubleshooting with built-in session debugging. The flexibility to configure detailed criteria based on user roles, groups, or network location supports diverse organizational policies and reporting needs.

    Use Data filtration to control access to tables and records based on subject attributes when performing read queries.

    Data filtration is a separate form of access control designed to work along with the existing Access Control rules (ACLs) on your instance. Data filtration denies access to tables and records that do not match subject attributes defined by an administrator. Data filtration is designed to make auditing, reporting, and troubleshooting easier.

    This is an optional feature that administrators can activate on their instance.

    Data filtration features

    Data Filters
    Use data filters to grant access based on information within a record. Data filters use data in a tables field to determine whether a record is available to your users.
    Subject attribute based condition builder
    Use subject attributes to evaluate user role, group, subject criteria, or IP network address.
    Data filtration uses a deny based model
    Data filtration uses a deny based model to control access to records. With Data filtration, your instance denies access to records unless a record meets the criteria defined by Data filtration.
    Data filtration enforcement
    Data filtration rules run after the database query for read operations and are evaluated before ACLs. A record denied by any Data filtration rule will not proceed and be evaluated by ACL rules. Data filtration rule enforcement is consistent with that of read ACLs.
    Data filtration and reporting

    Data filtration and ACL's are both applied only when creating list view reports. Reporting does not apply access control when collecting aggregated data. In this case, neither Data filtration nor ACLs are checked.

    For aggregated reports, Data filtration works in conjunction with existing Report_view access control list behaviors. See Report_view access control for further details on configuring these report controls.

    Session debugging
    Data filtration supports session debugging. Use session debugging to see which Data filtration records apply for a given query. Admins can use this information to troubleshoot user access to records.

    Components of Data filtration

    Data filtration works using the following record types:
    Data filtration records
    Create a Data filtration [sys_df_data_filtration] record to grant table access on your instance. The Data filtration record contains the Data filter and Subject attribute conditions described above to limit the scope of the rule and the affected users.
    Subject criteria records
    Subject criteria [sys_df_subject_criteria] records represent specific user attributes you can use to determine whether to grant access with a Data filtration rule. These attributes can be a user's groups, roles, or IP address. To create a subject criteria, you must create the subject criteria record, as well as criteria input and criteria conditions records. For details on this process, see Creating subject criteria.
    After creating a subject criteria records, you can apply them to a rule. This is done on the Subject Condition tab of your Data filtration rule.
    Criteria input records examples
    Figure 1. Example criteria input for all roles containing admin
    Example criteria input for all roles containing admin
    Criteria inputs [sys_df_subject_filter_criteria_m2m] are records that contain criteria to compare with the user. This can be a list of user groups or roles, an IP address range, or an IP address subnet. These records are used along with subject criteria condition records to evaluate against a user's groups, roles, or IP address to determine access to a table or it's records.
    Subject criteria condition records
    Figure 2. Example criteria condition using the Admins Only criteria input
    Example criteria condition using the Admins Only criteria input
    Use subject criteria condition [sys_df_subject_criteria_condition] records to define how to compare user attributes with the roles, groups, or IP addresses defined in you criteria inputs. You can use multiple criteria inputs in a single subject criteria condition to further narrow down access to your records.