Data filtration is a separate form of access control designed to work along with the existing Access Control rules (ACLs) on your instance. Data filtration denies access to tables and records that do not match subject attributes defined by an administrator. Data filtration is designed to make auditing, reporting, and troubleshooting easier.

This is an optional feature that administrators can activate on their instance.

Data filtration features

Data Filters

Use data filters to grant access based on information within a record. Data filters use data in a tables field to determine whether a record is available to your users.

Subject attribute based condition builder

Use subject attributes to evaluate user role, group, subject criteria, or IP network address.

Data filtration uses a deny based model

Data filtration uses a deny based model to control access to records. With Data filtration, your instance denies access to records unless a record meets the criteria defined by Data filtration.

Data filtration enforcement

Data filtration rules run after the database query for read operations and are evaluated before ACLs. A record denied by any Data filtration rule will not proceed and be evaluated by ACL rules. Data filtration rule enforcement is consistent with that of read ACLs.

Data filtration and reporting

Data filtration and ACL's are both applied only when creating list view reports. Reporting does not apply access control when collecting aggregated data. In this case, neither Data filtration nor ACLs are checked.

For aggregated reports, Data filtration works in conjunction with existing Report_view access control list behaviors. See Report_view access control for further details on configuring these report controls.

Session debugging

Data filtration supports session debugging. Use session debugging to see which Data filtration records apply for a given query. Admins can use this information to troubleshoot user access to records.

Components of Data filtration