Content security in AI Search
AI Search filters search query results and displays only records that the currently logged in user can access.
Content security is automatically enabled and isn't configurable.
Indexed security features
- Role-based field-level access control list rules (ACLs)
- Non-scripted conditional ACLs
- Scripted table-level ACLs
- Before Query business rules
- Domain separation
- User criteria for records indexed from the Knowledge [kb_knowledge] and Catalog Item [sc_cat_item] tables
AI Search doesn't support scripted field-level ACLs or conditional field-level ACLs.
Early and late binding security implementations for search queries
At query time, AI Search filters search results by evaluating user access to indexed tables and records. The filtering implementation used depends on the security features present on tables and records that match the search query.
| Content security implementation | Description |
|---|---|
| Early binding | Default content security implementation that incorporates security filters into the search query.
The system adds relevant security filters for the user to each search query. To appear in the search results, records must match the search query and pass all security filters. Early binding security supports non-scripted ACLs, Before Query business rules, and domain separation, plus user criteria for records indexed from the kb_knowledge and sc_cat_item tables. If a search matches records that have table-level scripted ACLs, the search query automatically falls back to use late binding security. 주: If an early binding filter produces an error, the search query automatically falls back to use late binding security. |
| Late binding | More computationally expensive alternate content security implementation that post-filters search query results.
The system applies security filters to the search query just as early binding security does. After retrieving records that match the filtered query, it invokes the GlideRecord.canRead() method for each record. To appear in the search results, records must match the search query, pass all security filters, and return true for the API method. Late binding security supports all indexed security features. By default, late binding security serves as a fallback mechanism for early binding security. You can override this default behavior in the following ways:
If AI Search applies late binding security to any results from an indexed source used by a facet, the list of available filter selections for the facet changes. When this happens, the facet only displays field values found in the current page of search results. For details on facets, see Create a facet in an AI Search application configuration. When you enable search result counts for facets in a search application, the counts indicate the number of results that matched the user's search. Late binding security can remove results after they’re counted, causing the actual number of displayed results to be lower than the count. For more information on search result counts for facets, see Show search result counts for facets on the results page for a search application. |
Content security for external content
AI Search preserves access permissions when ingesting external documents. You can alias ServiceNow AI Platform users to the externally defined users and groups specified in these access permissions. AI Search constructs content security filters for external document records from these permissions and aliases.
To learn about using AI Search with external data sources, see Indexing and searching external content in AI Search. For full details on external content security, see External content security for AI Search.