Squid Security Overview

Security is foundational to Squid's design. As a data integration tool that exports potentially sensitive ServiceNow data, Squid implements multiple layers of security controls to ensure data is only accessible to authorized users and systems.

Security Philosophy

Squid's security model is built on three core principles:

1. Defense in Depth - Multiple independent security layers that must all be satisfied
2. Explicit Access - Data access requires explicit configuration, not implicit grants
3. Transparency - Security decisions are visible and auditable

Security Architecture

Deep dive into each layer:

• Authentication — Session verification and role requirements
• Authorization — Configuration-level access control
• Data Access Controls — Views and filters
• Query Security — Input validation and operator restrictions

Key Security Features

Feature	Purpose	Documentation
Role-Based Access	Control who can access the API and specific configurations	Authorization
View-Based Data Control	Define exactly which columns are available for export	Data Access Controls
View Filters	Restrict rows returned per configuration	Data Access Controls
Forbidden Operators	Prevent query-based security circumvention	Query Security
Restricted Operators	Prevent performance attacks	Query Security
Relations Restriction	Control which relations callers can request	Authorization
Audit Logging	Track all access and security events	Auditing

ServiceNow ACLs

Why are we talking about security? Doesn't ServiceNow have ACLs?

Squid has a nuanced relationship with ServiceNow ACLs. While ACLs are valuable for interactive UI security, they can cause significant problems for programmatic data exports due to their silent failure mode.

See: ServiceNow ACLs for a detailed explanation.