- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2017 08:39 AM
We are considering domain separation for our organization but have some high level questions.
Our goals and understanding
1.) Our understanding of the functionality is found in this article: http://wiki.servicenow.com/index.php?title=Domain_Separation#Contains_Domains
2.) Generally we are OK with a department working independently (ex: Project only for their department only visible to their department). However, occasionally we may want to assign tasks to someone in another department.
Questions
1.) Could we accomplish domain separation with limited cross-domain sharing?
2.) Are there other simpler ways of accomplishing our goal? Customizing ACL security seems possible but too custom.
Solved! Go to Solution.
- Labels:
-
Best Practices
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2017 11:43 AM
Hi Jeremy,
Instead of the wiki article you mentioned, you want to search the newer docs site for the Domain Separation article.
The article describes Domain Separation, explains reasons for why it may be suitable for you as a customer, and also presents a list of alternatives to domain separation. Note that the first alternative mentioned in the list is Before-query business rules, and ACLs come second.
In terms of logically separating the data in your instance, Before-query business rules come closest to Domain Separation. Both of these methods modify the queries to the database by adding expressions to filter the data. The system retrieves only the data you are permitted to see.
With ACLs, the database is queried and data retrieved. Then the ACLs are applied to discard the data you are not permitted to see. This is why you may see messages on a list that say <x> records removed from the list by security constraints.
For data separation, It is usually far easier to implement and maintain several before-query business rules than it is to design and implement a domain hierarchy.
One of the main reasons for using Domain Separation is because you can separate both data (Data Partitioning) and processes (Delegated Administration). However, you should read Domain separation compared to separate instances to decide which best meets your requirements.
Ed Wajs
ServiceNow Technical Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2017 08:46 AM
Hi Jeremy,
Turning on Domain Separation, in my opinion, is a much more heavily involved piece of work than creating a few ACLs.
Most customers who want some level of security within their own company, go the ACL route, Domain Sep is mostly aimed at MSPs or Instances with high levels of Data Privacy Regulations or where different departments sometimes want different fields and processes within a company.
If you was to go the ACL route it should just be a question of locking down records based on a users group membership (if desired), this can now be accomplished in the simple condition builder like:
Assignment Group is DYNAMIC(one of my groups).
a READ Acl on a record would lock a record visibility down to only members of the assignment group, as an example.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2017 09:28 AM
My opinion:
Domain Separation should only be leveraged if the different organizations need complete separation with no plans to integrate.
If that's not your use case, think very long and hard about enabling it, as it's not something you can easily come back from...
If all you need is visibility and data security, this can be accomplished a number of ways, without resorting to Domain Separation.
The primary use case for Domain Separation is totally independent companies, managed by a central shared service. Think managed service providers. The other use case would be very large organizations that have data governance issues and need that additional layer of separation.
-Rob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2017 11:43 AM
Hi Jeremy,
Instead of the wiki article you mentioned, you want to search the newer docs site for the Domain Separation article.
The article describes Domain Separation, explains reasons for why it may be suitable for you as a customer, and also presents a list of alternatives to domain separation. Note that the first alternative mentioned in the list is Before-query business rules, and ACLs come second.
In terms of logically separating the data in your instance, Before-query business rules come closest to Domain Separation. Both of these methods modify the queries to the database by adding expressions to filter the data. The system retrieves only the data you are permitted to see.
With ACLs, the database is queried and data retrieved. Then the ACLs are applied to discard the data you are not permitted to see. This is why you may see messages on a list that say <x> records removed from the list by security constraints.
For data separation, It is usually far easier to implement and maintain several before-query business rules than it is to design and implement a domain hierarchy.
One of the main reasons for using Domain Separation is because you can separate both data (Data Partitioning) and processes (Delegated Administration). However, you should read Domain separation compared to separate instances to decide which best meets your requirements.
Ed Wajs
ServiceNow Technical Support
