Domain Separation ELI5 (Explained Like I'm 5)

Over my career I had the opportunity to go back to Portugal and work from my “home away from home” (thank you remote working!) where my parents still live.

They aren’t native English speakers; my dad understands a few words here and there, while my mum can hold a conversation to an extent… But while I was having meetings, they heard some terms like “CSDM”, “Dom Sep”, “ACLs” come up quite a bit, and out of curiosity asked me what they meant… And I panicked… Neither of them are in tech, they are not tech savvy - they still call me to fix their printer (thank you SOFTWARE ENGINEERING degree for teaching me not how to fix HARDWARE but how to Google stuff) - so how could I explain these things to them?

That got me thinking, how many people do we in the industry interact with daily that have no knowledge of tech outside of basic spreadsheets, right clicking, copy pasting, etc. and so easily we tend to just immediately start blasting away with these very specific and complex words, expecting them to understand them… Because if we get it, why wouldn’t they too?

Which leads me to this series, of which this white paper will be the first.

Explain Like I’m 5 is used across the internet to simplify more complex and technical terms as if you were talking to a five-year-old. These will of course not be the most in depth articles you’ll read on the subject, but should serve as an intro and hopefully allow you to more easily digest those more complex pieces about the tricky acronyms in ServiceNow…  And oh, are there plenty of those in the industry! So let’s get started!

If there was a poll for what two terms will send shivers down any ServiceNow developers’ spines, I’m fairly convinced either “Sales Handover” or “#Domain Separation” would top the charts.

As fun as the former might sound, today on *at the rhythm of SPIN… THAT… WHEEL* Explain Like I’m 5, we’re breaking down Domain Separation so you can finally understand, or help others understand, why it’s always charting in the Top 10 Worldwide hits of the “Why did I choose this career, I give up” genre.

Let’s start then with the ServiceNow definition:

With the ServiceNow Platform, service providers (SPs) can provide their customers with faster onboarding, meet compliance, and protect their data using domain separation. You can separate client data, processes, and reports into logical groupings called domains. SPs control who sees and accesses what content.
- ServiceNow

Did that help? Maybe a little, but we can simplify this, as after all, we’re explaining stuff to a 5-year-old!

As described in SN’s definition above, the two main purposes of Domain Separation are:

• Process Separation
• Data separation

You, reader, are probably not 5. But one thing both adults and kids seem to love is the Marvel movies, so I’m going to use that to try and five-year-old-ify Domain Separation.

Let’s start by setting the scene with our Multiversal Domain Structure:

For Process Separation, I’m going to focus on the Spider-Man characters above.

Across everything Marvel, including comics, movies, games etc., Spider-Man is known for being able to web sling across cities. The way the web is produced, however, hasn’t always been the same. Let’s consider the following three ways:

• The most common and ‘global’ way for Spider-Man; using manually built web cartridges and shooters.
• Organic web, which is part of their own anatomy.
• And finally, using an exoskeleton or robot to throw the web.

If we look at all 6 Spider-Man characters above, this is how they sling their web:

As mentioned before, the cartridge mechanism is the global way that Marvel sets for Spider-Man to web sling. Since both Tom Holland and Andrew Garfield’s Spider-Men follow that mechanism, even though they are in different ‘Earth’ domains, which is in turn under the Marvel Movies Domain, they haven’t had their powers changed at either level. Therefore, they simply inherit that ‘process’ all the way from ‘Marvel Global Rules’.

We then look at Tobey Maguire’s Spider-Man and Spider-Man Miguel O’Hara, aka Spider-Man 2099. They are both part of completely different ‘Earth’ domains, each with their own stories and villains, but they share the power of organic web slinging, so we group them under the same ‘Organic Web Club’ domain and override the way the power works not at the Earth domain level, but at the aforementioned ‘Organic Web Club’ domain level.

Finally, both Spider-Man Pavitr Prabhakar, aka Spider-Man India and Peni Parker, appear in a movie called Spider-Man Across the Spiderverse, being transported from their own ‘Earth’ domains. This movie is animated, unlike ones under the Marvel Movies domain, so although Pavitr has the same web slinging mechanism as Andrew Garfield or Tom Holland’s Spider-Men, he falls under the specially created ‘Across the Spiderverse’ domain. Peni, on the other hand, uses her robot to shoot out web, meaning her power is unique as a result of the ‘Earth’ domain she comes from and overrides what was defined by the ‘Marvel Global Rules’ domain.

If we put it all together we get:

As we can see, if we add new Spider-Men into the equation, depending on where they are placed, they would follow the power process defined in their domain structure.

If we turn this into ServiceNow lingo:

And look at an MSP example with the following flows:

1. Copy Comments from Catalog Tasks to Requested Item – defined in the global domain
2. Copy Comments and Work notes from Catalog Tasks to Requested Item –overriding Flow 1 at the Customer F domain
3. Copy Comments from Catalog Tasks to Requested Item and Request – overriding Flow 1 at the Customer Group A domain

That’s not the end of the article though! Processes only cover half the purpose of Domain Separation. The other half, which is just as important, is Data!

Before we start, there’s a couple of definitions I want to bring up:

• Visibility rules: applied to users or groups to grant access to other Domains
• Contains rules: applied to domains to grant access to other Domains

Although these are pretty straightforward, let’s see what they look like with the Marvel setup.

Traditionally, each Earth’s heroes and villains would fight within their own Earth domain only. The Avengers movies take place in Earth 616 with Captain America and Spider-Man interacting with each other. However, there have recently been some multiversal shenanigans, leading to characters hopping in and out of each other’s domains.

In the Spider-Man No Way Home movie set on Earth 616, where Tom Holland’s Spider-Man is from, has Andrew Garfield and Tobey Maguire’s Spider-Man cross over from their Earth domains into Earth 616, along with their villains.

This meant everyone from Earth 616, including Captain America and the Scarlet Witch (if they were in the movie) had visibility over Earth 120703 and Earth 96283’s Spider-Men, Dock Ock and Green Goblin (they technically were in Earth 616 temporarily but for the sake of this article let this one pass).

The different Earth domains didn’t merge into a single domain, it was just a visibility and access limitation that was lifted by Earth 616 containing Earth 120703 and 96283.

In an entirely separate movie, Dr. Strange and the Multiverse of Madness, the Scarlet Witch is able to see into another Earth, 838 which contained Mr Fantastic, Captain Britain and Captain Marvel. Unlike the Spider-Man movie we just covered, only Wanda and Dr. Strange (not represented on the graphic) were able to see the other Earth Domain. Spider-Man and Captain America were NOT able to do so.

Applying this to our MSP example from before:

Finally, there’s a couple of domains I haven’t covered yet because they have very specific purposes:

• Default, like the name says is where data will be ‘redirected’ to if it doesn’t fall into an appropriate Domain.
  If a Marvel movie doesn’t specify that it’s in a specific different universe, it tends to fall under Earth 616. However, if they don’t interact with other heroes from 616, they’re also not confirmed to be in that Earth. They would then be placed into the ‘catch all’ default domain, until they have their domain allocated.
  In ServiceNow, if something falls to the default domain, it means something is wrong. Something like your CMDB population or User/Group provisioning is acting up and you should fix it as well as move the data to the correct Domain.
• TOP is a unique and interesting domain that serves as the top-level domain for any other domain in the structure.
  It shouldn’t contain data but depending on your philosophy regarding upgrades, it CAN have process overrides. What I mean by this is, if you have an OOTB Flow running in global that you want to modify to apply to all domains, you can do it in TOP and that will leave the baseline version alone, allowing for easy and seamless upgrades over time... However, that also means you won't be alerted to those same changes with Skipped records on the upgrade. In my opinion, I prefer having it flagged so that a decision on whether to keep the modified versions or not can be made, even if it means a bit more work on upgrades, rather than just ignore it.
  Oh, TOP can also be used for Contains and Visibility rules that apply to the whole structure.

Phew… That was a long one! There’s a lot more to Domain Separation that I could cover, and I’m sure you could find gaps in my Marvel logic above, but this is intended to be a low stakes fun article to introduce a concept, rather than a perfect explanation of the MCU.

Below you’ll find some links to great resources about Dom Sep that can help you actually implement it in a project, so make sure to give those a read (please don’t create MCU domains, Disney is notoriously litigious so best to avoid any copywrite issues!).

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0715934