The need to securely segment data between groups, departments, or even locations is constant, even within IT organizations. What organization doesn’t have a particular group that is subject to extenuating compliance requirements that necessitate that their data remain hidden from the rest of the organization? As we delve deeper into the world of Enterprise Service Management, this need only grows. I have yet to find an HR organization that doesn’t wish to keep their data separate from IT. Additional requirements for the financial department, medical organizations, etc only add to the complexity!
Historically, there have been 3 methods by which to attack this:
- Access Control Rules – These make sense at first glance, but can be a real drag on performance. For simple needs, field level security, and role-based security, you’re all good! For complex scripted conditions, you’d best keep these at arm’s length. Remember, that script with 2 GlideRecord queries that you built into that ACL is going to run for every single record on that 1.2 million record Incident table at Acme Corp, and every single time you view the table – that’s potentially 2.4 million queries needed for a simple table list! Not to mention that your users will see that annoying “XX rows removed by security” message every time they view that list.
- Domain Separation – Pure power! Domain separation is a wonderful thing – separated and secured data between every domain; not to mention the ability to have separate processes for each domain – business rules, client scripts, and now even workflows that are unique to each domain in your instance! Sounds great, but make sure you know what you’re getting into. The maintenance and testing requirements on a domain separated instance are far larger than a typical instance, and there is a financial uptick that comes with a license to use domain separation. If you need separated processes between domains, go for it! If you only need separated data, then this may be a hammer too big for the nail.
- Before Query Business Rules – These are en vogue these days, and for good reason! But, they can sound a bit intimidating. What exactly do they do? Well, before query business rules allow you to inject custom queries onto the front of every database access, so that you may limit the data returned according to whatever custom requirements you may have – these rules can be specific to particular tables and user sessions, providing a great deal of flexibility. The best part? Before query business rules only run once for each table access. So, compared to option 1 above (with the 2.4 million queries), this option only requires a single query – quite a bit more efficient, eh?
Note that each of the methods above apply to every database access – meaning that simple lists will be affected, but so will data returned in your CMS pages, your knowledge base, reference fields, etc. Each of these methods is equally secure and should be functionally identical to the end user. And each one has it’s own valid use cases. So, which should you choose? Whenever I’m approached with this question, I generally have 3 golden rules:
- Are you segmenting data at the field level? In other words, do you want group A and group B to both have access to a given record, but only group B should be able to see field XYZ? If so, then Access Control Rules are your only option – the other options segment data at the record level.
- Do you require significantly different processes between group A and group B, as well as segmented data? Are there many such groups that each require their own processes and own data? If so, Domain Separation is your baby. There is some gray area here, as small levels of process differentiation are possible via simple code. But, for significant variations, DS all the way.
- In almost all other cases, go with Before Query Business Rules. They’re relatively cheap, both financially and computationally, and they get the job done.
Check out the video below, try it out in your dev instance, and see if it works for you!