ServiceNow new in Tokyo - Data Filtration

 - these work in conjunction with ACLs, however they are executed BEFORE the ACLs

- data filtration is a 'deny' principle whereas ACL a 'grant' principle

- data filtration reduces the need for scripting

- they run AFTER before query business rules

- will still see the 'removed due to security contraints' message unfortunately

- requires security_admin role just like ACLs but there is no admin override feature

- specific to scoped app it's defined in (might not have access to certain global/other app tables if defined in a scoped app)

- key design criteria: machine enforceable and human readable (so improves on ACLs)

- declarative option over scripted option reduces technical debt

- No ACL will grant you access that a data filtration has already taken out

- may need to install the 'data filtration' plugin as not installed by default yet on Tokyo version

- remember to elevate privilege to security admin first

https://www.youtube.com/watch?v=UsjbPMHVs7U

(ServiceNow )

(full video transcript:

0:01

[Music]

1:02

good morning good afternoon good evening wherever you are and whenever you are welcome to creator toolbox this is the

1:09

show that helps you put tools into your toolbox to be a better service now i'll get this out servicenow

1:15

developer or administrator the wonders of live streaming there's no redo

1:22

my name is chuck tobasi senior developer advocate at servicenow i'm going to

1:28

let's do some intros going that way to earl hi everyone i am earl duque i am a

1:33

servicenow developer advocate and i've been with the team for about a year now and before that i was in a lot of higher

1:39

ed customers doing development work and i'll kick it off to scott hey everyone my name is scott kaufman

1:46

i'm a product manager in platform security so i'm actually the product manager of data filtration

1:51

i've been with servicenow for nine years going on nine years and had a customer for eight more years before

1:57

that so i'm very familiar awesome and i'm laura mcmahon it's nice

2:03

to meet y'all i am the newest member of the developer advocate team and i've worked at service now i just had my uh

2:09

five year anniversary so very excited to still be here and very excited to hear about data filtration today

2:16

and i didn't do much of an intro for me but uh i've been here since mid-2010 at

2:22

servicenow as a customer for a couple of years before that and a long long resume of erroneous information before that

2:29

but enough about us thank you for joining we are going to be talking about data

2:35

filtration one of the new features in tokyo not just talking about it but demonstrating it as well

2:41

i've built out a scenario but i want to i want to frame this up of what data filtration is

2:48

it's it's it's a way to provide a declarative way uh to protect high value data

2:55

because in many of the high security environments finance

3:01

uh federal that kind of thing the auditors don't allow scripting and they they

3:07

weren't really living up to their regulatory requirements and they were getting some compliance issues so this is our way to

3:14

help address that it it provides not only access to the data like at acl

3:20

but it also provides in access to what we call the subject criteria or the

3:27

user's environment whether that's the ip address or what groups you belong to

3:32

which obviously helps reduce scripting now data filtration complements acls

3:39

it runs before the acls so you have to pass a data filtration rule if it's

3:45

there before you get to all the other acl checks now whereas acls are an allow operation

3:53

and scott's going to correct me if i'm saying anything out of order here this is why he's here to make sure you

3:58

know that we're saying what we really heard uh in our appropriate training

4:04

acls are a grant base you you allow access to something

4:09

data filtration works in reverse it's a deny it's still it still has a condition

4:15

part that you need to correct and we'll show this to you in the demo it has to be true to pass and then

4:21

you get the filter almost like a funnel if you will

4:26

what i miss these are post query operations like acls one of the questions for acls but after still

4:32

possible before acls but after

4:38

before query business rules yes wow there's a whole lineup of things we got to keep track of now

4:46

uh we do have something on the roadmap that we'll share for later of where we're headed

4:52

with that uh one of the questions in tech now was does this get rid of that annoying message at the bottom of the

4:57

screen that says you know so many records are removed due to security constraints the answer is no we will still see that in the demo that we've

5:04

got here let me oop i skipped ahead on my notes

5:10

uh quick reminders and i'll get this in the demo as well but it does require the

5:15

security admin role just like acls you are configuring security rules and who can

5:21

see what so you do need that elevated security there is no admin override we'll also

5:28

see that because my chuck tomasi account on this particular pdi

5:34

it has admin access but you're going to see these data filtration rules apply to my account because i don't satisfy some

5:40

of the conditions that we've set up it's also at the table level or the record level

5:46

you can't get granular down to the fields so you're filtering out or

5:53

filtering those records before that um

5:58

and if you are creating these just like acls it does respect scopes so if you're

6:04

creating them put them in a scope and you'll notice on ours we will be doing this in a scoped app the table list is

6:10

filtered to just those scoped apps so if i'm configuring a a data filtration rule

6:16

for my app my scoped app i don't have access to things like sysuser or sysuser group

6:24

or task or cmdbci you won't see those it is specific to my application

6:30

any further notes earl uh a clarity a clarification security

6:37

admin is required to do create re uh update and deletion of records but with

6:42

admin you can still read records you can read correct same same basic outline as acls

6:49

turning to mr wizard scott any any words before we jump into our story here yeah

6:54

i i think i'll kind of um one of the things to understand is is kind of the order of operations when it comes to

7:00

accessing data um i think i'll touch on a few of the the high level points there's a whole lot of

7:07

nuances that go and go on in each step but once you get past the authentication point you know the step that we go

7:14

through to determine you are who you say you are um then you go and you say i want to see this data let's just say i want to see

7:20

all incidents um so there's a there's a series of things that happen there's there's some pre-query activities um what most people

7:27

are familiar with is you know before query business rules or query business rules however you want to call them um

7:33

and then there's a lot of database stuff happening behind the scenes one of the things and this kind of this kind of

7:38

goes into explaining a little bit more about the security constraints error and why we see these things in in security

7:44

that's happening after the query um if you show me if you say i want to see all incidents

7:49

and there's a million records in that table we fetch all million records

7:55

and um because of some efficiency requirements we actually uh we actually

8:00

paginate we do uh total record count calculations we do pagination

8:05

calculations because those are all very resource intensive activities and uh the database does those really well

8:12

if you did it after the database it would be a lot slower and performance would be

8:17

not anywhere near where it is now so you imagine we have these million records that we've paginated now we've done some

8:23

pagination calculations then we get handed off to other things um like access handlers and whatnot now

8:31

we have data filters coming into play so we're evaluating the data we're evaluating who you are and and making a

8:38

determination of whether you're allowed to see certain data subset of data or all that data in that million records

8:44

and then we hand it off to acls so within that order there's some artifacts

8:50

as a result of that some of the benefits is for example you mentioned um data filters runs before an

8:57

acl the the value there is um because acls are an allow model it's a bunch of ores

9:04

um if you have 10 acls that determine some you know criteria some scope of data access and then 11th one can come

9:11

along and give access to more than the previous 10 has already you know gives you access to

9:17

it's a it's a it's a downside of something that makes acl so great unfortunately

9:23

but it causes some headaches for people that are trying to really secure high value data um so data filters is kind of

9:30

designed to target you know high value data and know that there's no acl afterward that's going to come along and

9:37

give access to it because what's been handed to acls is that has already been removed so there's nothing to add

9:42

anymore um we're trying to prove upon this as well so that that order you know data filters happening after the query but

9:49

before acls we actually are gonna our focus is on getting data filters to happen before the query so we've built

9:55

um a query augmenter so the notion of taking a query that goes before it goes to the database we actually can

10:02

intercept it now and we can decorate it with conditions um and do that very performantly

10:08

we are running into some you know challenges that kind of you know slow that process but that's kind of the direction we're headed and ultimately

10:15

what happens then is that chunking the the pagination of those million records if data filters

10:20

and acl starts removing things after the query that that pagination becomes inaccurate

10:26

and that's where you get the security constraints error and the pages unfortunately that have you know numbers

10:31

that that vary if there's been records filtered out by moving data filters before the query

10:36

um we are now removing data um before that pagination process occurs

10:41

so if if you're only supposed to see you know a hundred thousand of the million records there's only going to be a

10:48

pagination on the 100 000 records not the million records that eventually goes to acls

10:53

so that kind of gives you some insight into kind of the whole you know life cycle of you know accessing data and the order of things and you know what

10:59

artifacts you know are a result of that and what we're trying to change do we know when that would be expected

11:06

the moving data filtration to before query uh we don't um

11:11

we we're we're yeah we're so with data filters we actually are touching on an area that um

11:18

we haven't we haven't needed to touch in i don't know how long i mean we're creating a new you know data control

11:24

like ecl's existed since the beginning of time and so we're we're uncovering some areas where we can make

11:31

improvements on that we didn't need to before um we're discovering some new things about the platform um that we can

11:37

change to make improvements everywhere as because we're understanding this these operations that are happening and

11:42

where the bottlenecks are um but we're we're looking at probably two releases

11:48

um before we can really crack that that problem i know a lot of people will be excited

11:54

when that comes out especially i mean you and me writing before query business rules are not fun you know yeah the scripting

12:02

gets really complicated and it adversely affects the rest of the platform like right exporting and they're 100 scripted

12:07

which is another problem i think the key word for data filtration is that it's declarative and

12:13

that's why uh regular regulatory auditors are um accept

12:18

declarative statements because it's so much easier to build when it's when it's easy to describe kind of yeah

12:24

unexpected and there's no one-offs from the script or something like that that's i'll be excited when

12:30

that comes out too yeah go ahead key design criteria was you

12:36

know machine enforceable and human readable uh that's just kind of the the basis of

12:42

of any sort of security that is is fully auditable and and today with acls that's

12:47

not that's not the case yeah and anytime you've got a declarative option versus a scripted

12:54

option take the declarative one it uh it really reduces that technical

12:59

debt and your future self and your people who come after you will thank you for it i don't know how

13:06

many times i've walked into someone else's application or integration or situation and going

13:12

this is a lot of script to unwind as opposed to going into some records and saying i can read this condition it's

13:18

very easy to figure out i'll point out in some areas when we kind of get into the demo um

13:24

you know why uh you know declarative is is great and we can and where we'll

13:29

start expanding and where we're focused on expanding to kind of you know accommodate more capabilities yeah but

13:34

you'll see why using data filters now is still advantageous because you'll start inheriting some new stuff as we bring it

13:39

along well good segue what do you say we do a quick screen share earl i'm going to

13:46

bring up my scenario i can't see you guys so you gotta tell

13:51

me when it's ready it's ready okay uh we've got three personas that we're gonna be using hubble tudor he's our

13:58

regional director i've created an application to control stores

14:04

there are 800 and what did we say 31 records in here so we've got some demo data that we can

14:09

work with in various regions various countries each has an id we've got some

14:15

rules that we want to apply for various sections of these ids like the lowest 1000 from 1000 to 1999 is special

14:23

and secure we're going to put some data filtration rules around that uh and notice that abel and dennis don't have

14:32

any roles this is a situation you may run into i've got groups but the groups

14:37

don't necessarily have a role attached to them don't ask me what that means for licensing i'm not going to even try to

14:43

comprehend it let alone answer it today if you want to know more about licensing my standard disclaimer applies go talk

14:48

to your account account manager and they can help you now i have no groups but i do have the

14:55

admin role kids don't do this at home always assign roles through groups this was only done for demo purposes

15:03

so let's take a look at this here's my list of store 813 i transpose two numbers

15:09

sorry 813 records some are active some aren't they all have an id they're in

15:14

various countries there's even some additional information inside

15:19

the record that has you know an ip address i don't know what even that means but and a code

15:26

maybe that's some sort of backdoor hacker security code demo data random demo data it's not significant to

15:33

anything but this will help us tell our story so in

15:38

our our first scenario uh let me just also show you that i have

15:44

dennis's record here dennis is logged in he sees the same 813

15:49

and abel also has the same 813. we can see that down in the bottom

15:56

okay nothing special going on the acls at this point are pretty much wide open it's

16:02

you can read if you have public access so that goes back to what scott was saying

16:09

that no acl will grant you access that a data filtration rule has already taken

16:14

out and we'll see that in a second now the first scenario is is this first

16:19

thousand you see they're red they're red they're red and then they stop being red

16:25

okay that means something to somebody and according to the requirement i got is

16:31

admins should only be able to see those records they're special in some way i don't know what that is but only people

16:37

with the admin role should see these and yes you could secure this with an acl

16:43

but we're here to show you data filtration rules and then i'll show you some of the things you can do easily

16:49

with data filtration that you can't do with an acl as easily or without script

16:55

so let's start by going to oh should also mention we did enable a plug-in called data filtration

17:02

i thought it would scott correct me if i'm wrong but i thought that was on by default for new instances or was it

17:08

upgrades um no it's in in tokyo we made the decision to not make it on by default

17:16

okay we wanted people to opt into it because of this this you know it's it's kind of an mvp product at this point oh

17:23

sure great way to put it too i love that the um so you do have to turn it on if you

17:29

choose this is a great place to do it on your personal developer instance go to developer.servicenow.com

17:35

and get yourself a free pdi and then you can use it as a sandbox before you start exploring this in your

17:43

subprod and broad instances in your organization so once you have it turned on you will see

17:49

the data filtration menu which has data filtration records that's where we're going to be defining our

17:55

rules we've also got three more here ipfilter criteria role filter criteria and group

18:01

filter criteria we'll explore that in a little bit but these allow you to create

18:06

uh more involved and reusable components to the data filtration records is that a

18:12

fair assessment scott yeah yeah and then finally you can use a combination of these

18:19

as a subject criteria and interestingly enough i discovered that subject criteria uses

18:26

decision tables underneath like yeah you go to edit a certain part like the decision builder pops up that was kind

18:33

of fun table exclusions is exactly what it sounds like it says i am not going to

18:38

let you see or modify or do anything with these tables you can add to these tables if

18:45

you like so back to data filtration records let's

18:50

create a new one what's the first thing i need to do earl okay remember you must have security

18:57

admin so you got to escalate yourself yes and we won't turn this into a drinking game

19:05

how many times does chuck forget

19:10

there we go now i have a new button if you don't see the new button you don't have security admin that's your clue

19:16

so rule number one pick your table and it will happen to everyone it will happen it has happens

19:23

everybody anyway for acls notice that i only have one table if you are going where are my other

19:30

tables if you say show notice that we have a table choice script that does what it's

19:36

supposed to and says this is what i'm going to show you in this table field so i'm going to pick my store table

19:44

and it is active just like most records in the system you can still keep it just

19:49

make it deactive try not to delete things cascading means if you set one of these

19:56

data filtration rules on a parent class such as task this will apply to all the records in

20:02

the extended tables incident change problem i would i use that one because it's

20:08

easier than going through several cmdb examples let's give it a nice friendly

20:13

description special low numbers for admins only

20:20

uh scott i also discovered that description is only 40 characters so it's not even a

20:27

short description it's a shorter description oh wow okay we might want to look at that

20:33

i think that's in a couple of places it might be on the subject criteria as well all right i had a lot of fun going

20:38

through everything we discovered lots of stuff this is you know patch zero this is the first

20:45

release of the first release of the mvp okay we've got data filter these are the

20:51

two important sections here data filter and subject condition

20:57

if it were me designing this form i probably would have reversed these because i tend to think of them in the

21:02

reverse order like if this then that but

21:07

you do what you want to do i think that the idea here was we wanted to

21:14

continue some familiarity with acls which is really focused on the data first ah okay

21:20

i can but behind that you might see some you might see some design you know user experience changes around this because

21:27

we are very concerned about fragmentation of features so there is some consolidation on the

21:34

horizon here as well nice so let's do our

21:40

condition here we want to only show where the id

21:48

is between uh this is something you definitely would have to script for in an acl

21:57

1000 and 1999 right easy enough i'm

22:02

getting a little concerned so i save off and save early that's what i want to show if you meet

22:09

these conditions before you jump to that go back to the data filter absolutely

22:14

two things here one is that the going back to the cascading as it relates to the conditions

22:20

so if you're on the task table for example and you want to cascade this down to all table extensions it's

22:27

important to understand that the the conditions available to you are only on the table that you selected so you're

22:33

not going to see incident specific conditions even though you're cascading this in down into the to potentially

22:39

into the incident table so the the ids are of the table you selected in the in the actual table

22:45

field good point um so if you do need to have an incident specific field as part of your condition you would need to

22:51

create a data filter at the incident table level i see it the drop down doesn't have the

22:58

extended fields option then i'm assuming right it has it has show related fields

23:03

even though oh no i guess it doesn't on this one yeah just on the on a regular on the on different interfaces it's the

23:10

show extended fields to be able to do that additionally but in this in data

23:15

filtration you would want to build it in a different record yeah so like cascading in order to do that it would have to collect all the

23:22

fields across all the tables and then you start causing potential issues where

23:27

an incident specific field is not in the task table and so how does it interpret that and enforce it properly

23:33

the whole point is trying to be declarative and if you have a billion filters on one data filtration

23:38

maybe you need to re-look at how you do data possibly yeah the other thing to point out is similar to acls that we have that preview button

23:46

next to data condition um and that's an easy way to see what records match the criteria

23:53

and then also um uh it will allow you to click on the

23:58

actual record match count and view the preview those records

24:03

i was wondering okay condition builder equals v2 attribute is what puts up the nice preview button instead of the

24:09

little circley circley thing gotcha yeah all right you you you

24:15

definition fields when you use these three [Laughter] thank you so many times we've created

24:21

condition fields without readable equals true and i'm so annoyed when i see a code yeah in the list

24:26

so now you can actually see the records themselves by clicking on it it's just like acls but that's awesome yeah i mean if we do that you'll see

24:34

right there there's our data condition it actually reads instead of you know this encoded query let's go back in

24:40

there and set our subject condition so step two is what do i need

24:46

in order to see that according to what i said before the user needs to have the admin role

24:52

so i use the chooser here again and i've got the ability to look at network criteria

25:00

could be something i've built or could be yeah no that has to be something i built in that network criteria list

25:06

or group or role or subject criteria subject criteria subject group and

25:13

subject role apply to what i am i am the subject in this

25:19

so let's make it easy and say subject role is admin

25:26

easy enough this is now live

25:32

what do you say we go look favorites ungrouped stores i am admin i see

25:40

everything below one thousand hooray there's two thousand six at the bottom of the list below two thousand

25:46

the follow two thousand thank you in the one time if it starts with a one i win now let's refresh dennis's list

25:53

and haha can't see those and he starts counting at 2006

26:00

and then from there on it's pretty much what you would expect sounds a lot honestly that's a lot

26:06

easier to configure than an acl and abel should be the same way

26:11

right minus 50 minus 48 there's the other two

26:16

yeah that wasn't too bad pretty straightforward what do you say we do another one

26:22

okay i have another requirement uh only show

26:28

these ams records like this one if you are in the ams

26:33

support group okay again you would have to resort to scripting with an acl for something like

26:39

this we're going to do it of course with data filtration so i have a favorite for my rules

26:46

let's create a new one again on the store table well dynamic filters would be able to do

26:53

it in the condition builder for nacl uh yes you could you're right you're

26:59

right so our data filter is going to be

27:05

if the support group is

27:12

store ams support that's what i'm going to show you and that would give me 19 records or take

27:19

away 19 records from my list and the subject condition

27:25

is going to be this time subject group

27:31

is ams support now i did hear a question on another

27:38

video that said can i do show me all of my groups and this is not a

27:45

dynamic filter it just has an is operator and this

27:51

does have a dynamic filter which you could do here so i'd be saying if i was in the ams

27:58

group show me all of the records for all of my groups which might be a little too

28:04

broad so you got to think closely about that recognizing that let's go back to my

28:10

original one just because it will stay on script this doesn't have any more conditions

28:16

for the groups than just ears there isn't is one of or is dynamic

28:22

yet should i say scott yeah possibly let me touch on that for sure

28:27

um it's something to kind of peel apart a little bit and understand um

28:32

so you have to imagine that uh we are building something that

28:38

is uh potentially being called in every transaction yeah

28:44

as you add more data filters we're talking about high transaction um part of the the system

28:50

the when we start adding the the is dynamic right there's it's basically you know mini javascript call

28:58

there is an extra operation from the subject side so if you think about it from a query standpoint so our goal is trying to get

29:04

this to be done before the query [Music] as far as the dynamic

29:09

variables for data that can be that's basically translated into a modified sql

29:15

query in order to determine whether or not

29:20

you satisfy the criteria you know the subject conditions if we started adding dynamic

29:26

capabilities we would actually be running scripts and potentially database calls

29:32

before we did our main database calls so we're adding we're adding extra steps in inexpensive steps

29:38

so we have to be careful in how we evaluate you you know you as a person to determine your level of access

29:46

um if we touch on kind of what the the area that we're going to be going more on and i can i can go into this a little bit

29:52

later when it makes more sense but um the the uh subject conditions are going to

29:58

grow we we just maintain security role group and ip address and actually if any

30:03

of you are familiar with adaptive authentication which is also something fairly new to us we're sharing

30:10

the same code so the same rules that you define to determine authentication adaptive

30:15

authentication rules we you can carry that over into your data conditions as

30:20

well oh nice yeah so we so we we plan on um getting more into the subject and

30:28

environment attributes and and allow for kind of customization and configurability of that um and i can

30:33

talk about that a little bit in a little bit if if we want to but that's where we want to grow beyond just role group and

30:39

network adding network is actually a great thing because that doesn't exist today in the acl so right um that's key

30:45

that's that's that's this you know we're sharing code we're eventually going to bring all this all the way into the acl as well so a

30:51

lot of the stuff the declarative stuff we're going to be adding to acls um and so you know that that's that's

30:57

kind of where we're where we're focused on growing all right and i am am i safe to assume

31:04

you can't do you know javascript colon something in here um

31:10

well there's a matter of if you can or you should which i'm not sure which is

31:17

good valid good answer just because you can do a thing doesn't mean you should do a thing right

31:23

i wouldn't be married if that happened okay let's see how it worked so

31:30

theoretically chuck is not part of ams support group according to that slide earlier

31:35

but if i look at stores ungrouped and

31:41

actually you know what i have a shortcut just for that so grouped by support group i don't have

31:47

any ams let's see what dennis gets by support group dennis is also not in

31:55

he's in the emit mes support group and if we go over and look at

32:02

our old friend abel tutor not history hey where's my favorites anyway

32:10

group by support group he does have ams because he's in that group so proof that we can easily create a data filtration

32:18

record for that specific group i have one more but i want to show you something first

32:25

if you're ever questioning why don't i see this you can do

32:30

debug all security up our favorite debugger window i'm

32:35

going to allow and when i refresh this list

32:43

see if i can get that back there we go i can

32:48

search on filter right and hit

32:54

this and determine exactly which ones applied and which ones did not so data

33:00

filtration applied subject criteria not met support group blah blah blah

33:06

data filtration not applied subject criteria met the id is between so i can

33:12

tell exactly why did this record show up or not is based on these records so use the uh

33:18

security debugging to your advantage thank you for making sure that's included with its own messages by the

33:24

way you're welcome we wanted to uh yeah do better than

33:30

we've done in the past [Laughter]

33:36

you're driving a good point which is which is also going to be more meaningful in the future

33:42

right so as we you know you see right now that oh there's i'm missing some data because i don't satisfy some

33:49

criteria um and so that prompts you to you know go into the debug

33:55

in the future when we are able to move this at a quick you know before the query as part of the query um those

34:01

those uh those notices will go away and um everyone will be

34:06

seeing the data that they presumed are allowed to see so even more so um the debugger is going to come into play as

34:13

kind of like your go-to rather than just seeing the error itself or the message itself saying okay what's being hidden

34:19

and why and then go to the debugger oh good point

34:25

good point okay i'm going to do a different approach to that last example where i

34:31

said the ams support group gets to see the ams records we're going to satisfy dennis so you can see

34:37

only dennis can see the email support records but i'm going to do it in a slightly different way using something called support criteria

34:44

so underneath oh what was i typing yesterday

34:51

paf i like i like working on the middle of the word for uniqueness

34:58

we're going to create a support criteria that we can then use in our data filtration record this is a small

35:04

example of where you can go with this so we are going to create a new

35:10

called i like to just call these i'm going to prefix this because ams or emea support is going to come in all over the

35:15

place and this will help me tell them apart i mean by no means condoning a best practice here i only got confused

35:22

yesterday so maybe this turns into a best practice

35:27

description hey this description field is bigger i like this

35:33

so save that and down here i've got two more tabs and this is where i may lean on scott a

35:40

little bit to help us understand what the criteria inputs are

35:46

so um as as you mentioned before this is go this is using uh

35:52

decision tables uh and so the the prerequisite for decision tables is to define what inputs you want as part of

35:59

that okay so it's essentially just yeah adding what criteria

36:04

what of the three that you know we're able to evaluate what you want to add to this um

36:09

and it's just kind of a nuance with using decision tables all right and this is going to these

36:15

three correspond to these three correct so it's going to be giving me records in these other tables implicitly yeah the

36:22

the the other yeah those those other um links in the menu are probably um you

36:28

know just extraneous they're just there you probably don't need to interact so much with those but we kind of guide you through the process

36:34

oh hardcore people love them true that's probably why they're still there

36:40

now i could create any one of those ipfilter criteria to say hey i want this ip range or cider address or

36:47

whatever uh you can make these as simple or as complex as you want this is a group

36:53

filter criteria for email support again reusable components in

36:59

here and i'm going to assign it the group store support

37:06

that is that piece of it and notice that it's currently says used

37:11

false now this is the cool part these records know where they're referenced so you can't delete the wrong thing first

37:18

if i came and tried to delete the support criteria it would go i i'm sorry if you try to create the

37:23

group filter criteria it would go hang on this is being used somewhere you don't want to yank

37:30

the carpet out from under this or or saw the branch off that you're sitting on use whatever metaphor you like for

37:35

disaster happening here the system will actually tell you that you can't delete this record because it's used in a

37:42

a subject criteria which i think is really cool though something i did notice is you can actually still

37:47

set that field as active or false even though it should be it is automatically determined by the criteria conditions so

37:54

maybe in the future we can make that a read-only field oh yeah protect it whoop

37:59

yep you're right good call earl mvp product

38:05

yeah and we we want to do better in this area um make it a bit more intuitive because

38:10

either we we realize it's not but um that's just kind of how it has the components are necessary uh we want to

38:16

do better though and scott if i add more criteria inputs let's say i say you've got to be in this group on this ip range

38:24

etc you have this role are those ended or ored together uh that that's defined in the conditions

38:31

so all you're doing right now in this first tab is just bringing uh listing you're bringing all

38:37

the available inputs that you want to evaluate in the condition okay so it's

38:43

it's kind of like atf in a way where you're setting things up that you can use later or flow designer yeah so think of you know in our condition builder

38:49

there's the left side and then the right side right so you're just basically uh creating the the list of left options

38:56

right now let's go do that let's let's show these people how that works so label this is my subject criteria

39:03

creation for me support you see why i'm starting to do that

39:08

and in here oh look yeah i've got the different filter criteria uh earl and i were wondering

39:14

what sis id and keywords are doing in here that's a good question okay

39:21

generic to the condition field i don't know we were

39:26

conjecturing about those two for a little bit last night no attributes on this one so maybe

39:33

maybe if you use v2 they go away or something i don't know so what we're asking is

39:38

when this decision table evaluates our decision we want it to come back as true

39:44

now you could invert this which says you are not part of that group is that correct yeah

39:50

okay easy enough pretty straightforward well

39:55

yes uh i love that yes and

40:01

i'm i'm doing mental gymnastics right now to to verify that answer okay

40:08

we can we can easily flip that and see who can see what records in a minute but if you want to see the decision

40:13

table up comes decision builder our old friend thank you julia perlis and her team for

40:19

creating this it's not that hard to glance at it and go what's happening here uh if you're part

40:25

of this group it's true okay let's go back i didn't make any changes let's go back

40:31

again okay show the first tab again first tab is now true it says you have

40:39

been used so if i combine three of these and i like that if if you said

40:45

i've got a group one and of course you can always personalize the list to say you know

40:52

what's the display name what's the filter criteria blah blah blah

40:58

to make it a little more readable you go oh my filter criteria for email support is

41:06

used but i better go back to the criteria conditions because the one with the role or the one with the ip address wasn't

41:12

included in that condition so it gives you a little visual before hopping over here is this right

41:18

let me open that up and see if it actually says what i wanted to say

41:24

so in the in the midst of all this i think it's important not to lose context of what we're trying to achieve

41:29

um and and the value of it so if you think about um you think about

41:36

creating um a number of data filters that have some let's just call them

41:42

compound conditions so you have to be a member of a couple different groups or be from this role or from the corporate

41:48

network um and you want to repeat those that that those compound

41:54

conditions and and have consistency across multiple data filters this is

41:59

this is how you would go about that um almost almost like in it to building a persona that's using a combination role

42:07

group and network right oh my thunder man

42:12

actually your thunder have added yeah the reusability and i'll show you

42:18

real quickly now that we've got the subject criteria defined that persona that you know scott alluded to

42:24

i'm going to go to like the data filtration and create a new filtration record

42:31

to enact that or enroll that store let's see uh email for email

42:40

or it's like a protest statement or something beta filtration similar to before we're

42:47

going to say the support group is store emea that's what you get to see

42:55

if you satisfy this condition now this is where subject criteria comes in i'm

43:00

going to use that other subject now i have to start typing it so fortunately i started with

43:06

an sc for subject criteria and there we go

43:12

so in theory if this worked fingers crossed i go to chuck's list chuck is not in

43:20

ams or email so that's working dennis darren i don't know i keep calling

43:26

dennis because it's darren ennis or enos inus nice

43:31

something what's his name darren nice okay

43:37

the answer is yes to emea no to ams and if we go over to abel

43:43

and refresh the list you know you can refresh the list just by clicking all aha

43:49

things have been taken away no no nobody in the first thousand because that rule is applying

43:56

and group by support group says

44:01

no email should we flip it around just to test your theory

44:06

scott okay we're off script just letting everybody know that's like

44:11

we have a really he's like we have a really good batting average we don't want to change it up now right this is we're developing into the

44:19

criteria and we flip this to false so this would be a way to exclude data

44:26

from people not in that group let's try it again favorites grouped by support group

44:33

uh chuck doesn't see it interesting

44:39

refresh the list i'm not sure what happened to my refresher here

44:46

still don't see it for dennis and

44:54

still don't see it here now this is where

44:59

there's like there's a couple of things we could talk about now chuck based off of what we found last night we're going to just try clearing the

45:06

cache let's see what impact that has we could

45:12

also try logging out logging in but i'm not ready to go there yet okay cache is cleared chuck refreshes

45:19

does chuck see records we have to rebuild that cash which is why this is taking a couple extra seconds

45:26

this is when you are glad you have a cash no

45:32

i noticed another decoration i don't know if this was san diego or tokyo you see up here where you got these new

45:37

little icons here you can see what is grouped by so many times i've turned on grouping and i

45:43

don't remember which column was on totally this is nice i'm thank you for whoever

45:48

did that i think this is a great time to mention

45:55

some of the uh quirks that we ran into um in our

46:00

testing check so when we were figuring out uh and setting up this demo

46:06

some some things came up where we realized two things one uh impersonation the reason why

46:12

chuck is showing them in its own session windows right now instead of impersonating a user to demonstrate the records is

46:19

because what we've noticed is that the the essentially the criteria that is hitting

46:25

for the data filtration persist to the original person that's logged in even if you impersonate to

46:31

somebody else so impersonation is not a great thing to use while trying to test for these

46:36

records in data filtration so i see scott writing things down i think

46:42

so that's um uh i see him on the side um the other thing is uh right now chuck

46:48

is in a scoped application and we saw some irregularities while being

46:55

in a scoped application when it came to the subject criteria yeah subject criteria specifically

47:01

um so if we're running into interesting things here we don't know necessarily if it's a

47:06

scoped issue or if it's a bug for the entire the actual feature itself but um

47:12

when it comes to subject criteria we knew that it worked in global but not in a scoped application

47:18

yeah for scoping um there is we can definitely do better in

47:23

this area um we obviously as you can tell we're we support scopes but then you when you add

47:30

like scoped administration or scope security in into the picture it complicates it significantly

47:36

um so we've we've identified some areas where we can definitely improve and um

47:41

have more expected behavior around that um and also kind of you know do bet be

47:46

better than what scopes allow us to do

47:52

one more reminder is some of you may know if you use a glide record query you can navigate around acls

47:59

and if i'm correct you can you can do that today with glide record

48:05

on data filtration but you cannot do it i mean the glide record secure honors the acls and the data filtration rules

48:12

but the goal is no more no more working around with glide record they are what they are

48:17

especially if they're pre-query you got no choice yeah that's something good to kind of

48:23

dive in a little bit on um you know as we as we kind of

48:28

thought of data filters you know charter is to kind of protect high value data one of the one of the things that we

48:34

identified an area that we identified that we wanted to try and improve upon was

48:39

um i feel like a better term kind of centralizing security so taking taking the choice out of the hands of the

48:46

developer of whether or not security is enforced or not so we kind of took a position of

48:52

let's let's not make data filters bypassable

48:58

that led us that led us down a very long rabbit hole that ultimately was a dead end

49:04

not because we can't solve the problem but data filters it wasn't data filters

49:11

job or responsibility to solve what we ended up finding is a

49:16

very high risk of regression so if you think about it you know all of

49:23

our what we ship out you know from in our baseline code we have some expectations around what level

49:30

of access certain processes have and you can't get around you can't get around the need for a

49:36

process to be able to bypass security you know the system itself needs access to data in order to process the data so

49:44

you have to have some level of you know bypass ability of that security and today that mechanism is glide record

49:50

versus glad record secure and unfortunately both of those apis are publicly available as in script so

49:56

you can essentially create scripts that bypass security um this is nothing new um this is just

50:02

that's just the way it is so the notion of trying to change the um the point where data

50:08

filters was enforced i mean we wanted to go down to the db um the db query layer

50:13

um but what we found is that we were um we were creating an environment of a

50:18

very high risk of regression so like you should you know there's no data filters shipped out of the box but suddenly you start creating you know

50:25

data filters and applications start misbehaving because they weren't tested

50:30

um you know with with security in place maybe that that that that application needs acts full access to data but you

50:37

were creating a data filter that was removing access and and you'd start seeing anomalies so we we didn't make it made a

50:43

determination that um we need to solve that problem more at the plat you know general platform layer rather than

50:48

within data filters itself um so we've kind of resolved to re you know reevaluating our

50:54

approach to that problem one other quirk that

50:59

we came up with is you can see abel here doesn't have access to any of

51:06

the 1000 records but if i were to drill into one of those records

51:11

and say email the link to abel

51:18

away we go there we go had to remind

51:24

so that's something to consider as well i don't know if if that's on the road

51:29

map as well scott but yeah we actually have a defect uh we're working at hurricane as a defect at the moment

51:35

good so if you're watching this in the future and it doesn't work for you you know why

51:41

all right that's um you know unless we wanted to go down the global path for a quick demo i think looking at the clock

51:47

we better get it back on track but we're aware of these features this is patch zero uh i

51:54

got nothing else to demo here earl i think we can probably run through some

52:00

of the questions that were asked inside of the chat during the demo and just make sure we covered everything oh wait i do want to show one more thing hold on

52:07

okay work filtration uh if you try to delete that group criteria i said it's got a smart delete

52:14

and i go i'm going to be sneaky and try and delete it it says no you can't

52:20

it's already being used click here to review and it brings you right to

52:26

you know where you need to go okay yes let's see some questions little things like that save a lot of headaches thanks for

52:32

making sure that's there that was fun

52:37

give me a little warning first chuck dates i'm gonna fix that too

52:43

a few questions popped them in chat um some things we a lot of these we did answer on air um just by coincidence but

52:51

i just want to make sure that we covered everything um stefan had a question about phil data filtration and how

52:58

we're expecting admins to be able to uh work on records that are being reported

53:03

to us if there's no admin override button and stuff like that and one of the key things is debug security still

53:09

happens um so you'll there's key messages in there saying hey data filtration is getting rid of this record

53:15

for this person for for you that's why you can't see it and that's why there's a bug um so you need to go look at data

53:21

filtration or if it's not that go to acls then um but one of the other things is uh one

53:26

thing we did we mentioned uh the url bypass chuck

53:32

yes so that when when you went into the specific record right okay

53:38

um so there is a stuff that we uh noticed about that that um

53:43

uh it's mainly a table-less kind of thing known defect

53:49

yeah uh we had a lot of questions for clarity about acls working with data filtration

53:55

and just for clarity uh they they work to complement each other so remember they're both post query uh data

54:02

filtration works first and then passes those lists of records over to acls to run so they work together and they

54:08

always work together you can't have one or the other if you turn on the data filtration uh what else is in there

54:17

uh another clarification of about does this get rid of the security prevented showing the rows that's part of post

54:22

query so because data filtration is also post query it doesn't get rid of that what you're looking for is a before

54:29

query business rule right now but as uh scott has mentioned in the future we

54:35

hope to move data filtration or give the option to have that run before query which would solve that problem also

54:41

um nitish gave a good summary of what happens and

54:46

then i clarified it with uh hey um it's more clear if you say where the query was so that you know what happens before

54:52

querying what happens after query uh to be a good picture of the the workflow that's happening on records behind

55:00

what else has been asked there was the one about cascading too

55:07

yeah so earlier in the episode um we talked about cascading and scott gave great insight on uh

55:13

gotchas to make sure to pay attention for about the condition builder for a data filtration record and to make sure

55:19

to build the if you have a cascading field that you need to be addressing you need to you

55:24

would want to uh because of the declarative way of how this works is to build a new data filtration record on that table

55:31

so a lot of cool clarifications a lot of um questions in the chat which is great because we wanna that's how we get all

55:37

the information out there and how we get uh all the information to scott too this is great this is why we love having a product manager on our um on our shows

55:44

uh but yeah i think that was a lot of questions a lot of the things a lot of the chat was a lot of clarification on things um that we did answering the show

55:51

so i won't go over um a lot of these questions again uh but did you notice anything else in

55:56

the chat lauren um did you go through all your notes chuck yep

56:02

earl point up with your left finger this is part of the tokyo content

56:09

you can tell because we have this cool badge we are in the midst of the tokyo season you can find out everything that's out there or going to be out

56:16

there on our tokyo calendar i think we may need to update a few links because it's been a couple of

56:21

weeks now we've got content rolling out creator toolbox live coding happy hour breakpoint podcasts blog entries lots of

56:29

stuff coming in devlink dot sn slash tokyo earl's got the banner right there

56:36

[Laughter] we're on cue

56:41

well-oiled machine any other announcements earl

56:51

we are we have a uh do you want to talk ab challenge at all

56:58

build with aes challenge yes lauren heck yeah so i believe it was about

57:04

three or two or three weeks ago we kicked off the build with aes challenge uh all the information about the

57:09

challenge is listed on our blog and also on the community but essentially if you can write a short blog post or film a

57:17

short video on anything that you've built with aes why you liked it what you liked about the experience

57:23

we will send you a free shirt it is very similar to this shirt that was oh that went like lickety-split out of stock at

57:30

creatorcon so if you missed out on the shirt there uh this is an awesome opportunity to get a very good uh dupe

57:36

without the uh little creatorcon specific logo but the whole shirt is the same

57:41

i'll be the one to ask what does aes stand for app engine studio thank you so much i

57:46

appreciate that [Laughter]

57:52

well i know i just want to make sure we say just because um natasha asked about it uh

57:57

he's saying that if the if you have trouble with the dev links uh just go to

58:03

developer.servicenow.com and check out uh all of our resources um on the blog

58:08

and you'll be able to see the tokyo content uh breakpoint content this shows content

58:14

our friday live coding happy hour content all that's there on developer.servicenow.com

58:20

and then click on blog plus you'll see all all the other resources that you have available to you as a developer so

58:26

check it out all right i just tested it we did have a technical issue last week because rit

58:31

people changed something on the back end that we had to track down so it was broken for about 12 hours but hopefully

58:37

that's all cleared up i just tested devlin slash tokyo is working but you can also find that on the blog as well

58:44

thank you earl thank you lauren for joining and definitely thank you scott for the depth of knowledge on this

58:51

product absolutely thanks guys definitely another couple degrees higher than where we could have taken it uh had i had a

58:58

little more time i would have made nicer slides until next time everybody take care stay

59:05

safe and we will see you soon )