Domain Contains vs Visibility

KB15 · ‎10-21-2014

I'm running a domain separated instance and ran into an issue where, I believe, that contains would correct the issue however I'm not ready to put this change into production yet.

The problem I'm trying to solve is this: I have workers who need to be able to assign incidents across multiple domains. When attempting to reassign an incident to someone in a different domain, the name is, of course, not listed. Would adding the domain as a "contains" on the group level harm anything currently setup? I tested this in a test environment and seems to work though I can't vouch for other things that may break because of it.

I know that the definition by ServiceNow is "Visibility controls what a particular user can see, while Contains controls what an entire domain of users can see." Does that mean if I use a contains, it allows all data to be visible on a domain level? Doesn't visibility do this as well?

smarti37 · ‎10-22-2014

Hi kkim,

My understanding of the wiki article here is :

Domain Contains feature includes the capability for Users to see data in the contained domain as well as any of its children but processes are unaffected by a contains relationship (Business Rules, Client Scripts, UI Actions ...). Domain Contains is really helpful to create virtual hierachy between 2 separate Domains.

The Domain named MSP is granted to see data within all the hierarchy of the domain named TOP.

Domain Visibility allows a user or group to see and potentially edit records from another domain => but do not include the visibility on its children domain. See the difference with the screenshot below in comparison with the previous one

The group named Software is granted to see data from TOP/MSP Domain but do not have visibility on TOP.

Regards,

Smarti.

BobbyNow · ‎11-06-2014

This is correct. I would also like to clearly state some differences that affect data access.

1. "contains" is a domain-to-domain relationship that is many-to-many, and does not affect the flow of process.

2. Because the "contains" relationship is hierarchical you can control data access to specific domains by using your domain picker to select a specific domain. When a specific domain is selected you can only see data from that domain and its children.

3. "visibility" is a user-to-domain relationship that is an explicit grant, not hierarchical, and does not affect the flow of process.

4. Because the "visibility" relationship is not hierarchical you can not control access to the data based on the users current domain selection. This means that once a user is granted access to a domain they will always see data in that domain and its children.

Michael Fry1 · ‎11-06-2014

So your workers can see and work on the tickets. But, when attempting to reassign an incident to someone in a different domain, the name is not there because that name is in one domain and the user is in another domain.

Did you try using the preference below:

BobbyNow · ‎11-06-2014

kkim,

To select a specific record in a reference field your worker has to have access to the domain of the record they want to select. (In this case a user record in the assigned_to field)

If your worker exists in a parent domain of the user record they want to select, and can normally see this user, but can not when in a sub-domain record you may have the property (Use the domain for the record being viewed...) referenced above enabled.

This is a common setting and the data issue can be overcome by granting domain "visibility" through a group to the worker, or if list edit is enabled, setting the user from the list while staying in the parent domain.

If your worker never has access to the user record because it is not in their domain hierarchy you can grant them "visibility" through a group as well.

The only time you will want to use "contains" is when everyone in a domain should have access to another domains data.

NOTE: The good and bad of "visibility" is that once granted access to a domain's data you never lose it regardless of your current session domain.