Hermes Messaging Service domain separation

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Hermes Messaging Service Domain Separation

    The Hermes Messaging Service supports domain separation, allowing users to logically separate data, processes, and administrative tasks into domains. This capability enables control over data visibility and access based on user roles. It is essential for service providers to ensure proper data handling according to their use cases.

    Show full answer Show less

    Key Features

    • Namespace Configuration: Users with the kafkanamespaceadmin role can assign namespaces to specific ServiceNow domains, controlling which domains can access certain topics in the Hermes Kafka cluster.
    • Access Control: Users only see and interact with topics and namespaces they have access to, guided by domain visibility and access control lists (ACLs).
    • Global Domain Creation: Topics created in the Default Namespace are associated with the global domain.
    • Domain-Separated Tables: Both Kafka Topics and Kafka Namespaces are domain-separated and can be protected with ACLs.
    • Plugin Requirement: All domain support features require the Domain Support - Domain Extensions Installer (com.glide.domain.mspextensions.installer) plugin.

    Key Outcomes

    With domain separation, service providers can ensure that customer interactions, such as chat responses, are properly managed and visible to the appropriate tenants. This structured approach enhances data security and process integrity across different domains within the Hermes Messaging Service.

    Domain separation is supported for the Hermes Messaging Service. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Basic

    • Business logic: Ensure that data goes into the proper domain for the application’s service provider use cases.
    • The application supports domain separation at run time. The domain separation includes separation from the user interface, cache keys, reporting, rollups, and aggregations.
    • The owner of the instance must set up the application to function across multiple tenants.

    Sample use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the customer must be able to see the SP's response.

    For more information on support levels, see Application support for domain separation.

    Overview

    On a domain-separated instance, you can use namespaces to configure which domains can access specific topics in the Hermes Kafka cluster. You assign topics to ServiceNow domains using the topic record's namespace.

    How domain separation works with the Hermes Messaging Service

    On a domain-separated instance, a user with the kafka_namespace_admin role can assign namespaces to specific ServiceNow domains. When the Kafka namespace admin assigns a namespace to a particular domain, all the topics created in that namespace will have the same domain. Users can only see and interact with the topics and namespaces they have access to, based on domain visibility and access control lists (ACLs). Topics created with the Default Namespace are created in the global domain.

    Both the Kafka Topics [sys_kafka_topic] table and the Kafka Namespaces [sys_kafka_namespace] table are domain-separated tables. Domain separation rules filter which records are available in each domain. In addition to being domain-separated, these tables can also be protected with ACLs, just like any other table.

    All domain support features require the Domain Support - Domain Extensions Installer (com.glide.domain.msp_extensions.installer) plugin.