Introduction:
Domain Separation ServiceNow is a way to separate processes and data in different domains. It’s best for Managed Service Providers (MSP) or global companies with unique business requirements to customize instances easily. It’s also known as ServiceNow Multitenant Platform Architecture.
Example: We work in an office building that several companies share.
Domain Separation in ServiceNow is a bit like that. The building leases individual office spaces to tenants. MSP can lead parts of a ServiceNow instance to different organizations.
Multiple customers can use one example. A building has other floors and separate rooms, and they have some shared areas.
What can all be separated?
The instance has global properties, data, and processes shared across all domains.
Like tenants in an office building, each domain can set off its own data that other domains can’t see. Each domain can have unique functions, such as Business Rules and user interface.
How can domains coexist?
Through hierarchy. Hierarchy maintains domains and the relationship between them.
What is domain hierarchy?
Structure of a domain in an instance. It basically establishes a Parent/Child relationship between the domains
As seen above, every domain has data separation specific to its respective domain. Members of a domain see only the data contained within their own domain or its child domains any.
If there is a parent-child relationship, the parent will be able to see data in its own domain as well as the data in its child’s domain.
By default, all users and all records are members of the Global Domain unless an administrator assigns them to any domain.
Users in the Global Domain can view all records, regardless of domain settings. If a user belongs to another domain, then the user cannot view anything across domains and cannot even see records at a higher level in the hierarchy.
How to Configure ServiceNow Domain Separation?
- To set up the Domain Separation, the Admin needs to activate the Plugin ‘Domain Support-Domain Extensions Installer.’
- Administrator can raise a request to activate the plugin mentioned above.
- After clicking on activate, it takes some time to get activated.
- Once activated, the ‘Domain Admin’ application menu is visible in the Application Navigator.
When to use Domain Separation in ServiceNow:
- When we must segregate data between organizations.
- When data separation is required between service providers, customers, and partners within an organization.
- When there are multiple business process definitions and user interfaces within the same organization.
- The parent company wants to maintain global processes and global reporting in a single instance.
- When we want to decrease the license and support cost by not having separate instances.
Data separation vs. Process Separation:
Data Separation:
- Data Separation can be enforced at the database level using the sys_domain column in tables.
- When Data Separation is enabled, data in Child Domain is visible from Parent Domain. Based on the hierarchy, users can view data in their Home Domain and Child Domain of that Home Domain, but they don’t have access to data present in their Parent Domain.
- To separate a custom table, add the ‘sys’ domain field to the table.
- Cloud Dimensions is MSP, and it has two Customers, Stark Industries and Globex.
- Stark Industries has two further Children’s Domains, and Globex, which has one Child Domain.
- Cloud Dimensions can view data from Stark Industries and its children and Globex and its children.
- Stark can see data from both its children. However, children can only view their own.
Tables should never be Domain Separated:
- Security Black/White list entities
- ACL
- Dictionary
- Sys Property
- Script includes
Process Separation:
- Process Separation can be enabled using the sys_overrides column in tables.
- Any table which contains sys_domain and sys_overrides fields can be configured to have different processes from the Parent Domain.
Example:
Cloud Dimensions is Top Level. Its Business Rules or UI Actions can be applied to its customers.
There may be times when we want some customers to see data from a domain which are outside them.
To do that, there are two ways to control visibility:
- Contains table: The domain_contains table allows users of a domain (the ‘Containing’ domain) to see data from another domain (the ’Contained’ domain). This only applies to data and not processes.
- Visibility Table: The sys_user_visibility and sys_user_group_visibility tables allow specific users or groups to view data for a domain they could not otherwise access in the hierarchy.
Processes that can be Separated:
ServiceNow Domain Separation Best Practices:
- ServiceNow recommends using a low number of domains - Contains and visibility-related entries. We should avoid creating multiple overrides or duplicates in the tables, otherwise slowing database queries. When we load Domain Picker from the header, and if we have multiple domains, the domain picker must load all domains before giving control to the session.
- When we work with data records, we should configure the instance to create new records with the sysparm_domain property, as domains are already defined for records without having us switch domains from the domain picker.
- Use the existing domain hierarchy and change when really required. We should not change or delete the hierarchy as when doing this, the system changes the values of sys_domain_path in the domain table, thus updating domain-enabled tables with new domain paths.
- While developing applications in a platform, we shouldn’t use the sys_domain_path value. We should use the sys_domain field in the script.
- Domain Query Methos- We should use Domain Paths as a domain query method.
- Admin needs to create a new process in a particular domain. Then we should be in that domain.
Benefits of ServiceNow Domain Separation:
- A domain-separated instance helps decrease the license and support cost by not having separate instances.
- Allows organizations to separate processes and administrative tasks into domains.
- Helps the parent company maintain global processes and reporting in a single instance.
- Helps segregate data between organizations.