- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-21-2017 02:36 AM
Hi,
We have enabled domain separation in our instance, and the domain structure is Global> Top> domain1, domain2, domain3. Here, Top is the parent domain and domain1, 2 & 3 are parallel child domains. The problem is, there are quite a few tables which do not have the sys_domain column (essentially are not domain separated). Some of these tables are -
| cmn_cost_center |
| cmn_department |
| cmn_location |
| core_company |
| core_country |
| sys_user_delegate |
| sys_user_geo_location |
| sys_user_grmember |
| sys_user_group |
| sys_user_group_type |
| sys_user_has_license |
| sys_user_has_role |
| sys_user_license_exclude |
| sys_user_license_source |
| sys_user_pending_license |
| sys_user_preference |
| sys_user_presence |
| sys_user_role |
| sys_user_role_contains |
| sys_user_session |
| sys_user_set |
| sys_user_token |
If you look, this list includes common tables like company, group, delegates. This means that I cannot restrict groups for a specific domain or one group can have members from multiple domains. Also if I login as a user of domain1 (with user_admin role), I can see all the company records in the system, which poses a threat to proper data separation.
I wanted to know if this is by design or could we have somehow manually deleted the 'sys_domain' field? The instance is on Helsinki Patch 9a.
Thanks in advance!
Sakshi
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-10-2017 11:54 PM
Thanks for the inputs Michael. You are right, the setup was incorrect. We took this up with servicenow Support and realised that the domain separation plugin had not been setup correctly.
Am pasting the details here in case someone else also runs into something similar in future:
As discussed, there are fewer domain separated tables than we would expect. The plugin that we are currently using is com.glide.domain.msp_extensions.installer, which activates com.glide.domain.msp_extensions and com.glide.domain. However, your instance has only com.glide.domain activated, which had much less domain-separated tables than MSP. This is likely to be the issue when the plugin was first enabled a few years ago. Switching to MSP might be problematic, we usually don't recommend that without using Professional Services. I would suggest speaking to your account manager about arranging for Professional Services to address the plugin issue.
The other alternative is to manually create the sys_domain field in the requisite tables and populate domains to ensure that data segregation is achieved.
To manually add 'sys_domain' field correctly, please refer the following link:
Any other way the field is added, creates u_sys_domain rather than sys_domain, which doesn't function the same way.
P.S We are going to rope in some domain experts to rectify the issue. Will keep this post updated with the latest.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-21-2017 06:01 AM
Company has a domain field. After you create the domain, you associate a company to that domain to start to build out the data separation.
Groups should also have a domain field, which means the groups belong to one domain or another. However, you can add Domain Visibility in the Related List on Groups to all the group to be seen in other domains.
Locations are tied to companies. Don't recall if domain sep, but as long as they are associated to a company, should be fine.
'if I login as a user of domain1 (with user_admin role), I can see all the company records in the system' - something isn't setup correctly!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-10-2017 11:54 PM
Thanks for the inputs Michael. You are right, the setup was incorrect. We took this up with servicenow Support and realised that the domain separation plugin had not been setup correctly.
Am pasting the details here in case someone else also runs into something similar in future:
As discussed, there are fewer domain separated tables than we would expect. The plugin that we are currently using is com.glide.domain.msp_extensions.installer, which activates com.glide.domain.msp_extensions and com.glide.domain. However, your instance has only com.glide.domain activated, which had much less domain-separated tables than MSP. This is likely to be the issue when the plugin was first enabled a few years ago. Switching to MSP might be problematic, we usually don't recommend that without using Professional Services. I would suggest speaking to your account manager about arranging for Professional Services to address the plugin issue.
The other alternative is to manually create the sys_domain field in the requisite tables and populate domains to ensure that data segregation is achieved.
To manually add 'sys_domain' field correctly, please refer the following link:
Any other way the field is added, creates u_sys_domain rather than sys_domain, which doesn't function the same way.
P.S We are going to rope in some domain experts to rectify the issue. Will keep this post updated with the latest.
