Service Graph Connector – CIs Not Updating for Parent Domain User in Domain-Separated Instance

SyedMulthazim
Tera Contributor

‎01-30-2025 10:37 AM

Hello,

 

We are using the Service Graph connector to integrate our domain-separated ServiceNow instance with Tanium. I’ve encountered an issue where Configuration Items (CIs) created by the integration during the first run are correctly placed in the expected domains. However, when I run the integration for the second time, the CIs are not updated if the job is executed by a user from the parent domain (even though the parent domain user has visibility to all child domains and their CIs).

Issue Details:

  1. First Run: CIs are created successfully in the expected domains.
  2. Second Run: CIs do not update when the user running the integration is from the parent domain, despite the fact that the parent domain user has visibility to the child domains and their CIs.
  3. Child Domain Behavior: When the integration is run by a user from a child domain, the CIs are updated as expected.

What I’ve Tried:

  • Verified that the user in the parent domain has visibility and appropriate access to all child domains.
  • Checked scheduled import job settings and logs but couldn't identify any domain-specific restrictions for updates.
  • Confirmed that the integration works correctly for creating CIs during the first run regardless of the user’s domain.

Questions:

  1. Is this expected behavior in a domain-separated ServiceNow environment when using the Service Graph connector?
  2. What can I do to ensure that the CIs are updated when the integration is run by a user from the parent domain?

 

Any insights or advice on how to resolve this issue would be greatly appreciated!

 

Thanks in advance!

Labels:
0 Helpfuls
  • 516 Views
3 REPLIES 3

Ashish Routray1
Tera Contributor

‎07-31-2025 03:55 AM - edited ‎07-31-2025 03:55 AM

Hi @SyedMulthazim 

I'm running into the exact same problem and was wondering if you were able to find a resolution. If you managed to solve it, could you please share what worked for you?

Any insight would be greatly appreciated!

0 Helpfuls

SyedMulthazim
Tera Contributor
In response to Ashish Routray1

‎08-05-2025 01:46 AM

Hi @Ashish Routray1 

I resolved this issue by enabling a system that allows users from the Parent domain to update CIs in the child domain. Please conduct thorough testing after enabling this property.

 

If you require further information, please don't hesitate to let me know.

 

Also, if you found my response helpful in resolving your issue, kindly mark it as such.

 

Thank you!

0 Helpfuls

AJ-TechTrek
Giga Sage
Giga Sage

‎07-31-2025 07:18 AM

Hi @SyedMulthazim ,

 

This is Great question , this is actually a classic, real-world challenge that comes up when you use Service Graph Connector (SGC) or any integration in a domain-separated ServiceNow instance.


As per my understanding why this happens (and yes, partly expected)


In domain-separated instances, even if a user in the parent domain can see data in child domains,
the actual update action by the import set / transform map still depends on the domain context of:
* The import set
* The transform map run
* And especially the user running the job

 

Specifically:
When the import job (or SGC transform) runs under a parent domain user:
* The transform map runs in the parent domain.
* By default, updates in child domains may not occur, because update access follows strict domain rules:
* Users in the parent domain can insert new records into a child domain (often)
* But can’t update existing records in a child domain if the import set or transform runs in the parent domain scope/domain

 

When you run from a child domain user:
* The transform runs in the child domain context.
* Updates succeed, because the domain matches.

his is normal/expected behavior unless you explicitly configure cross-domain update permissions.


How to fix / ensure updates work from parent domain:


Option 1: Use the “run_as” user in child domain
In your import set / transform map / integration hub action:
* Configure it to run as a user in the target child domain.
* Even if scheduled from the parent domain, this forces the transform map to execute in child domain context.

 

Option 2: Enable "Allow updates from parent domain"
In the domain separation configuration (for CMDB tables or the transform map):
* Set Allow updates from users in the parent domain
Note: This is controlled via the Domain Configuration (domain_config table) or on the domain settings for the transform map.
* This allows users in the parent domain to update records in child domains.
* Requires careful governance to avoid unintended data changes.

 

Option 3: Split transforms per domain
If you have:
* One integration job in parent domain → creates new CIs
* Separate transform maps scheduled in child domains → update CIs in child domains
Ensures domain context matches, avoids cross-domain update issues.

 

Option 4: Use “domain override” field on transform map
If you know the domain of the data, in the transform map, you can:
* Set the sys_domain field explicitly during transform → forces update in correct domain.
E.g., mapping rule:
Target field: sys_domain
Source: hardcoded or from input data

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025

0 Helpfuls