Need help Domain Separation concept for Data Separation

shaik_irfan
Tera Guru

Hi,

We have activated Domain Separation Plugin, currently we have 5 domains where i created 5 domains now i need to separate the Users & Data. Can anyone please help me the best practice and suggestion how to separate without any issue

1 ACCEPTED SOLUTION

Ganesh Bhat
ServiceNow Employee
ServiceNow Employee

Hi Shaik,

I have been involved in domain separation of one of the servicenow application, hence I understand the difficulties and what we need to know while domain separating an application.
Some of these things are learnt by extensive research, trial and error, which is hard to find. 

So, here is the best way to get started about it.

 

1. All you need to know about domain separation and how to do it is documented as step by step developer guide.

https://developer.servicenow.com/app.do#!/training/article/app_store_learnv2_domainseparation_madrid...

This will take you through the domain separation concepts and exercises and help you achieve it easily.

  

All you need to do to ensure domain is these 7 things

1. Install domain separation plugin ( com.glide.domain.msp_extensions.installer )

2. Setting up domains and users

Same as what someone else already pointed out, do these

a. Create Domain and Domain hierarchy ( set right parent domain - explained in the document provided above )

b. Create Company for each domain ( 1-1 mapping )

c. Create users and assign a company ( consider this as domain )

3. Check if table of interest is domain separated

var gr = new GlideRecord('sn_cmp_bp_cat_item');
gs.info(gr.isValidField(‘sys_domain’));

this will print true, if table is domain separated ( in case if table that current table extends is already domain separated )

4. If your application uses catalog, install domain separation for catalog ( servicecatalog.domain_separation )

5. You must update the dictionary to domain separate the tables.

while developing, you can use below script to domain separate any table of your choice and test the behaviour.

insertDomain('sn_cmp_order');//table of your interest here

function insertDomain(tableName) {
	var gr = new GlideRecord('sys_dictionary');
	gr.initialize();
	gr.setValue('name', tableName);
	gr.setValue('element', 'sys_domain');
	gr.setValue('internal_type', 'domain_id');
	gr.setValue('column_label', 'Domain');
	gr.setValue('default_value', 'global');
	gr.setValue('max_length', 32);
	gr.update();
}

 

Typically you need not do anything in additional to adding sys_domain column, if you are not manipulating data using scheduled job.

The domain of the user who created is used for records too.

 

6. In domain separation behaviour, there are 2 more important concepts ( Process and Data )

We use an attribute called sys_override, which makes any table content as process, this reverses the visibility of the data.

For example. ( see how visibility got reversed )

Data

  • Users in parent domain can see children domain data
  • Users in children domain can’t see parents data
  • Everyone can see global

Process

  • Users in child domain can see parent domain data
  • Users in parent domain can’t see child data
  • Everyone can see global
  • User in global cant see the data from child domains, they will have to do expand domain scope
  • Allows you to create a process record at child domain level and mark it as it overrides the parent domain record.


Business rules, workflows, policies ( anything which can be related to execution unit, can be considered as process )

When i find some time, i will post a script make any table as process. 

You will also need to understand following concepts ( which are explained in the document reference i provided above )

  • Visibility domain
  • Contains domain

 

7. If your application involves mid server etc, then there are other considerations.

Hope this will help you get started with domain separation for your application.

 

View solution in original post

5 REPLIES 5

Ankur Bawiskar
Tera Patron
Tera Patron

Hi Shaik,

Domain separation best works with Companies;

Domain has companies and users belong to company

1) you have Domain 1; assign it some company that is already present

2) there would be users belonging to the above company

3) automatically they will see data only for their own domain i.e. Domain 1

https://docs.servicenow.com/bundle/helsinki-platform-administration/page/administer/company-and-domain-separation/concept/c_DomainsAndAssociatedCompanies.html

Mark Correct if this solves your issue and also mark Helpful if you find my response worthy based on the impact.
Thanks
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

Shiva Thomas
Kilo Sage

Hi Shaik,

There are two cardinal rules for domain separation: Data goes Up, Config goes Down!

Data

  • Parents can see children
  • Children can’t see parents
  • Everyone can see global

Configuration

  • Parents pass configs to children
  • Children can override parent configs
  • Parents do not see child config changes

Remember that users from the child domains won't be able to see data from parent domains. This is especially critical for core data, like Assignment Groups, and Business Services from the CMDB. 

A Child domain's Incident will not be able to be assigned by the child domain's fulfillers to a group from a parent domain (unless you trick the system with server side UI Actions). Yet a Parent domain's fulfiller will be able to see and reassign the same incident to his Parent domain's group. Be sure that core data that need to be used by everyone is in the Global/Top domain.

Last advice, not everything is domain aware (meaning it will appear in all domains): Script includes, properties, service portals… are not domain aware.


Best regards from Switzerland
Shiva :¬,

If this reply assisted you, please consider marking it 👍Helpful or Correct.
This enables other customers to learn from your thread.

Ganesh Bhat
ServiceNow Employee
ServiceNow Employee

Hi Shaik,

I have been involved in domain separation of one of the servicenow application, hence I understand the difficulties and what we need to know while domain separating an application.
Some of these things are learnt by extensive research, trial and error, which is hard to find. 

So, here is the best way to get started about it.

 

1. All you need to know about domain separation and how to do it is documented as step by step developer guide.

https://developer.servicenow.com/app.do#!/training/article/app_store_learnv2_domainseparation_madrid...

This will take you through the domain separation concepts and exercises and help you achieve it easily.

  

All you need to do to ensure domain is these 7 things

1. Install domain separation plugin ( com.glide.domain.msp_extensions.installer )

2. Setting up domains and users

Same as what someone else already pointed out, do these

a. Create Domain and Domain hierarchy ( set right parent domain - explained in the document provided above )

b. Create Company for each domain ( 1-1 mapping )

c. Create users and assign a company ( consider this as domain )

3. Check if table of interest is domain separated

var gr = new GlideRecord('sn_cmp_bp_cat_item');
gs.info(gr.isValidField(‘sys_domain’));

this will print true, if table is domain separated ( in case if table that current table extends is already domain separated )

4. If your application uses catalog, install domain separation for catalog ( servicecatalog.domain_separation )

5. You must update the dictionary to domain separate the tables.

while developing, you can use below script to domain separate any table of your choice and test the behaviour.

insertDomain('sn_cmp_order');//table of your interest here

function insertDomain(tableName) {
	var gr = new GlideRecord('sys_dictionary');
	gr.initialize();
	gr.setValue('name', tableName);
	gr.setValue('element', 'sys_domain');
	gr.setValue('internal_type', 'domain_id');
	gr.setValue('column_label', 'Domain');
	gr.setValue('default_value', 'global');
	gr.setValue('max_length', 32);
	gr.update();
}

 

Typically you need not do anything in additional to adding sys_domain column, if you are not manipulating data using scheduled job.

The domain of the user who created is used for records too.

 

6. In domain separation behaviour, there are 2 more important concepts ( Process and Data )

We use an attribute called sys_override, which makes any table content as process, this reverses the visibility of the data.

For example. ( see how visibility got reversed )

Data

  • Users in parent domain can see children domain data
  • Users in children domain can’t see parents data
  • Everyone can see global

Process

  • Users in child domain can see parent domain data
  • Users in parent domain can’t see child data
  • Everyone can see global
  • User in global cant see the data from child domains, they will have to do expand domain scope
  • Allows you to create a process record at child domain level and mark it as it overrides the parent domain record.


Business rules, workflows, policies ( anything which can be related to execution unit, can be considered as process )

When i find some time, i will post a script make any table as process. 

You will also need to understand following concepts ( which are explained in the document reference i provided above )

  • Visibility domain
  • Contains domain

 

7. If your application involves mid server etc, then there are other considerations.

Hope this will help you get started with domain separation for your application.

 

Hi Ganesh,

 

Can you please help me in deep understanding of Process & Data.

 

Also can you please help me in understanding the Scripting works after Domain Separation i have lots of Custom Business Rules & Script Includes will these be applicable automatically or do i need to anything additional.

 

Ex: Post activating the Plugin everything will be set into global domain then all the scripts do i need to moved to TOP Domain or i can simply leave it where it is ?