Domain Separated User and Group Roles

raprohaska
Kilo Guru

‎11-17-2016 08:34 AM

We have a need to assign different roles to a user depending on the domain of the record. So User1 may have ITIL access in Domain1, but they have zero access in Domain2.

Upon reading Re: Domain separation and Child roles , I had some hope that we could use the domain separated nature of the User/Group Roles table, but:

  • There is   BR that always sets the user role domain to the users domain.
  • Roles inherited via group or "contains role" relationships get added to the user with a User Role domain of global.
  • I even deactivated the business rule so I could manually set the domain of the User Roles record. It seems that when ACLs are processed, it bypasses domain separation and pulls the role in no matter what.

Does anyone know of a way to leverage domain separation to drive different roles for a single user (or users within a group)?

Thanks for any help you can give,

AA

0 Helpfuls
  • 4,261 Views
8 REPLIES 8

Dom_Wolfenden
Tera Contributor
In response to RASlat_01

3 weeks ago - last edited 3 weeks ago

The admin role is across the whole instance. It can not be granted to a specific domain. 

 

ServiceNow Training material on domain separation:

"Administration of a domain separated instance is the centralized responsibility of the instance owner. Do not offer direct admin access at the customer level. Any user with the admin role can impact global instance-wide configuration, even if their account is in a domain. For example, they can change system properties and change their own domain. It's important to have at least one administrator account working in global, for complete data visibility and troubleshooting. It is strongly recommended that service providers employ a strong centralized governance model with instance administration owned by the MSP and not the customer directly."

0 Helpfuls

Marc See
Tera Contributor

‎06-01-2023 05:43 AM

Have you tried placing the user's domain higher than the group's domains? For example:

  • Say we have 3 domains: MSP (parent), Dom1 (child), Dom2 (child)
  • User's domain is in MSP.
  • Create 2 groups, gp1 (in Dom1) and gp2 (in Dom2). Set gp1 with itil.
  • Assign user as a member of both.

When you impersonate the user and toggle between domains, does it set the roles between domains?

0 Helpfuls

RASlat_01
Tera Contributor
In response to Marc See

‎06-01-2023 05:53 AM

But how can we give domain admin rights 
for example, creating users in Dom 1, so admin of Dom 1 wont be able to create any users in Dom2 and global 

0 Helpfuls

Marc See
Tera Contributor
In response to RASlat_01

‎06-01-2023 08:15 AM

Right, so from my understanding, roles are applied globally. So my steps above, i think, may fail, but worth a test.

Based on your requirements, I don't think you can set roles differently between domains. From my experience, domsep only segregates data and processes. You can tell which data is domain separated is if it has the sys_domain attribute. If it doesn't, that means the data is global. 

0 Helpfuls