Before Query business rules

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Before Query business rules

    Before Query business rules are used in ServiceNow to support data segregation within domain-separated environments. They provide supplementary scripting to control access to data by restricting or granting table or row access based on user, group, or domain-specific conditions. However, they are not a substitute for the Domain Separation plugin, which offers more secure and scalable data segregation.

    Show full answer Show less

    Use Cases for Before Query business rules

    • When domain separation is not supported by an application and you need to control access for external customers.
    • When tables are domain-separated but require additional access control based on complex conditions for specific domains or users.

    Key Considerations

    • Script rules to consider user roles, groups, companies, or record fields for access control.
    • Create rules at the lowest possible domain hierarchy level to limit execution scope and improve performance.
    • Always specify conditions under which the rule executes to avoid unnecessary processing.
    • Avoid excessive OR clauses and queries on non-indexed fields to prevent performance degradation.
    • Limit the number of Before Query business rules since too many can impact system performance.
    • These rules run before Access Control Lists (ACLs) and generally perform better, especially in service provider environments with multiple domains.
    • Filtering with Before Query rules is transparent to users, avoiding data security messages that ACLs might generate.

    When Not to Use Before Query Business Rules

    Using both Before Query business rules and ACLs for data segregation can lead to complex customizations that are difficult to maintain and may degrade performance. Domain Separation plugin is the preferred method as it offers built-in scalability, governance, and performance optimizations maintained by ServiceNow teams. Excessive use of custom query rules can slow database performance, especially in multi-customer, multi-instance environments.

    Enabling Domain Separation

    Domain separation is enabled via a ServiceNow plugin managed by product and development teams. Enhancements are delivered through platform releases. Instance owners can access Customer Service and Support resources for assistance with domain separation configuration and troubleshooting.

    Additional Resources

    ServiceNow provides extensive documentation and tools related to domain separation, including setup of domain hierarchies, performance considerations, managing domain-specific use cases, and debugging queries. Customers should consult these resources for comprehensive guidance on implementing and maintaining domain separation effectively.

    You can use a Before Query business rule to help support data segregation on an instance. ServiceNow applications that support domain separation may support the separation of data and data routing only, have advanced business logic separation, or support tenant (customer) level administration of the application.

    A Before Query business rule is supplementary code that you use to support data segregation within domain-separated environments.

    Warning:
    Do not use the Before Query business rule in place of the Domain Separation plugin. This business rule does not prevent data leakage as securely as the plugin.

    Using the Before Query business rule for data segregation

    You can use the Before Query business rule with data segregation in these situations:
    • When domain separation is not supported by a ServiceNow application and you must grant or restrict table or row access to one or more non-internal customers outside of the service provider organization.
      Note:
      Before you begin developing, contact ServiceNow Customer Support about the application roadmap for that product; domain support improvements may be planned for upcoming releases.
    • When a table is domain-separated but access to its rows must be granted or restricted based on certain conditions that apply only to a set of domains in the system.
      Note:
      For example, a customer in the X domain has multiple vendors supporting that domain and those vendors are granted access to see only the records that are assigned to them.

    Points to consider before creating Before Query business rules

    You can script Before Query business rules to prevent parent and child table access based on a combination of user information, group memberships, companies, roles, or record-specific field conditions. Before Query business rules are put into separate domains and created to apply globally, to a specific branch of a domain hierarchy.
    • Where you can, create Before Query business rules at the lowest possible part of the domain hierarchy so that the rule runs only for users that it applies to.
    • Know that there are scenarios in the system where business rules may not run or where a user-triggered interaction may not trigger a business rule to run. For example, a business rule won't run when you have transform maps with Run business rules turned off, or you have scripts with the workflow disabled.
    • Always populate the condition field to specify when the rule runs. For example, you can specify if the business rule applies only to certain vendors in a domain.
      Warning:
      When designing and coding business rules (especially Query business rules), limit OR clauses and searches in non-indexed fields. Too many OR clauses and searches in non-indexed fields can slow queries or affect how your instance performs.

    • Use Before Query business rules only when necessary. Too many Before Query rules can affect how your instance performs.

    Before Query business rules run before access control lists (ACLs) and perform better in general. This is true especially when you limit the returned results to those users in service provider (SP) environments who have access to several domains in the system.
    Note:
    Filtering the data is transparent (unlike with ACLs) to users who do not see the message Data Security restricts…. when interacting with data.

    When not to use Before Query business rules and ACLs

    Be careful when you use Before Query business rules and ACLs to segregate customer data. By using both business rules and ACLs, you create customizations that you then must maintain. Customizations can potentially cause performance issues. Your development teams should create processes to make sure that they don’t break the system.

    Domain separation provides both scalability and governance with the current domain path query method (v3), which is a widely supported framework. The ServiceNow Platform and App teams are responsible for maintaining the framework, taking the burden off the customer.

    For companies with many customers in many instances, excessive use of Before queries and ACLs may cause the database queries not to perform well.

    How domain separation is enabled

    You can enable domain separation with a ServiceNow plugin. A product manager, supported by a development team, manages the functionality. Enhancements and fixes for domain separation functionality are included with ServiceNow releases. Instance owners can consult Customer Service and Support resources, such as the Service Portal, at https://support.servicenow.com for assistance with domain separation.