Explore Data filtration

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Explore Data filtration

    Data filtration in ServiceNow allows administrators to control user access to tables and records during read queries based on subject attributes such as roles, groups, or IP addresses. This optional feature works alongside existing Access Control rules (ACLs) by applying a deny-based model that restricts access to records unless they meet specific criteria defined by administrators. It enhances security and simplifies auditing, reporting, and troubleshooting by filtering data according to user attributes.

    Show full answer Show less

    Key Features

    • Data Filters: Grant access based on record data fields to determine record availability for users.
    • Subject Attribute Based Condition Builder: Evaluate user roles, groups, subject criteria, or IP network addresses to define access conditions.
    • Deny-Based Access: Access to records is denied unless explicitly allowed by Data filtration rules.
    • Enforcement Order: Data filtration rules run after database queries but before ACLs during read operations, ensuring denied records are not further evaluated.
    • Reporting Integration: Data filtration and ACLs apply when creating list view reports, but not during aggregated data collection, where Reportview ACLs govern access.
    • Session Debugging: Provides tools for administrators to debug and troubleshoot which Data filtration rules apply to user queries.

    Components and Configuration

    • Data filtration Records: Define rules combining data filters and subject attribute conditions to control table and record access.
    • Subject Criteria Records: Specify user attributes like groups, roles, or IP addresses to be used in access decisions. Creating these involves setting up criteria inputs and conditions.
    • Criteria Input Records: Contain specific lists or ranges such as user roles, groups, or IP address subnets used for comparison against user attributes.
    • Subject Criteria Condition Records: Define how to compare user attributes with criteria inputs, allowing multiple inputs to refine access control precisely.

    Practical Benefits for ServiceNow Customers

    By enabling Data filtration, administrators gain granular control over data visibility based on user-specific attributes, improving security and compliance. It streamlines audit and troubleshooting processes by clearly defining when and why access is denied. Integration with reporting ensures that data access aligns with security policies during list views, while session debugging aids in resolving access issues efficiently. This feature is especially useful in environments requiring strict data segregation and access governance.

    Use Data filtration to control access to tables and records based on subject attributes when performing read queries.

    Data filtration is a separate form of access control designed to work along with the existing Access Control rules (ACLs) on your instance. Data filtration denies access to tables and records that do not match subject attributes defined by an administrator. Data filtration is designed to make auditing, reporting, and troubleshooting easier.

    This is an optional feature that administrators can activate on their instance.

    Data filtration features

    Data Filters
    Use data filters to grant access based on information within a record. Data filters use data in a tables field to determine whether a record is available to your users.
    Subject attribute based condition builder
    Use subject attributes to evaluate user role, group, subject criteria, or IP network address.
    Data filtration uses a deny based model
    Data filtration uses a deny based model to control access to records. With Data filtration, your instance denies access to records unless a record meets the criteria defined by Data filtration.
    Data filtration enforcement
    Data filtration rules run after the database query for read operations and are evaluated before ACLs. A record denied by any Data filtration rule will not proceed and be evaluated by ACL rules. Data filtration rule enforcement is consistent with that of read ACLs.
    Data filtration and reporting

    Data filtration and ACL's are both applied only when creating list view reports. Reporting does not apply access control when collecting aggregated data. In this case, neither Data filtration nor ACLs are checked.

    For aggregated reports, Data filtration works in conjunction with existing Report_view access control list behaviors. See Report_view access control for further details on configuring these report controls.

    Session debugging
    Data filtration supports session debugging. Use session debugging to see which Data filtration records apply for a given query. Admins can use this information to troubleshoot user access to records.

    Components of Data filtration

    Data filtration works using the following record types:
    Data filtration records
    Create a Data filtration [sys_df_data_filtration] record to grant table access on your instance. The Data filtration record contains the Data filter and Subject attribute conditions described above to limit the scope of the rule and the affected users.
    Subject criteria records
    Subject criteria [sys_df_subject_criteria] records represent specific user attributes you can use to determine whether to grant access with a Data filtration rule. These attributes can be a user's groups, roles, or IP address. To create a subject criteria, you must create the subject criteria record, as well as criteria input and criteria conditions records. For details on this process, see Create subject criteria.
    After creating a subject criteria records, you can apply them to a rule. This is done on the Subject Condition tab of your Data filtration rule.
    Criteria input records examples
    Figure 1. Example criteria input for all roles containing admin
    Example criteria input for all roles containing admin
    Criteria inputs [sys_df_subject_filter_criteria_m2m] are records that contain criteria to compare with the user. This can be a list of user groups or roles, an IP address range, or an IP address subnet. These records are used along with subject criteria condition records to evaluate against a user's groups, roles, or IP address to determine access to a table or it's records.
    Subject criteria condition records
    Figure 2. Example criteria condition using the Admins Only criteria input
    Example criteria condition using the Admins Only criteria input
    Use subject criteria condition [sys_df_subject_criteria_condition] records to define how to compare user attributes with the roles, groups, or IP addresses defined in you criteria inputs. You can use multiple criteria inputs in a single subject criteria condition to further narrow down access to your records.