Domain separation and Health Log Analytics

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain separation and Health Log Analytics

    Domain separation in Health Log Analytics enables ServiceNow customers to logically segment data, processes, and administrative tasks into distinct domains. This feature ensures that users only see and interact with data within their assigned domain, supporting multi-tenant environments such as Managed Service Providers (MSPs) and organizations with multiple tenants.

    Show full answer Show less

    Domain separation applies across all aspects of the Health Log Analytics application, including the user interface, cache keys, reporting, rollups, and aggregations. It is designed to ensure that data is properly isolated and managed according to the domain-specific context.

    Key Features

    • Data Isolation: Users and records are assigned to specific domains, with default assignment to the parent domain unless changed by an administrator.
    • Domain-Specific Alerts and Actions: Alerts generated by Health Log Analytics and remediation actions are visible and applicable only within the user’s domain scope.
    • Multi-Tenant Support: MSPs can provide Health Log Analytics services to multiple customers from a single instance, with access limited to respective tenant domains.
    • Transparent Domain Management: The application automatically manages system settings and operations separately for each domain, while server-wide properties remain common.
    • Plugin Requirement: The Health Log Analytics Domain Separation plugin must be installed and activated before configuring data inputs.
    • Data Input Configuration: Domains are defined during data input configuration, restricting data access and alert generation to that domain.

    Practical Considerations

    • Health Log Analytics supports up to 60 kilobytes of events per second (EPS) across all domains without SLA guarantees or fairness, so heavy data usage in one domain may affect performance in others.
    • MID Server EPS expectation is approximately 10 kilobytes.
    • Administrators must set up the domain structure and assign users, records, and data inputs appropriately to maintain effective data isolation and secure access.

    Use Cases

    • MSPs delivering Health Log Analytics to multiple customers via a single ServiceNow instance.
    • Organizations seeking to isolate sensitive logs (e.g., security data) among tenants.
    • Tenant administrators defining data inputs and managing logs solely for their domain.
    • Operators viewing and acting on alerts exclusively within their domain.
    • MSP administrators overseeing log data across all managed tenant domains.

    Domain separation is supported for Health Log Analytics. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Basic

    • Business logic: Ensure that data goes into the proper domain for the application’s service provider use cases.
    • The application supports domain separation at run time. The domain separation includes separation from the user interface, cache keys, reporting, rollups, and aggregations.
    • The owner of the instance must set up the application to function across multiple tenants.

    Sample use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the customer must be able to see the SP's response.

    For more information on support levels, see Application support for domain separation.

    Domain separation and Health Log Analytics overview

    Domain separation is present in all aspects of the Health Log Analytics application. Users belonging to a specific domain see only the data existing in their own domain.

    How domain separation works in Health Log Analytics

    When data is domain separated using a single Health Log Analytics server, each Managed Service Provider (MSP) can see the log data only in its own domain or the child domains below it​​. Users can view alerts that Health Log Analytics generates only in their own domain. Actions to remediate the alerts apply only for the scope of that domain. By default, all users and records are set to the parent domain unless the admin assigns them to a specific domain.

    The Health Log Analytics Domain Separation plugin must be installed before you configure your data inputs in the Health Log Analytics application. There is no setup procedure for the plugin. Install the plugin with the Health Log Analytics application Version 21.0.1 - September 2021, and then activate it. Make sure that you map your data into logical silos and configure rules and entities.

    You define the domain-separated environment when you configure your data inputs. Users can use data inputs that are only available in their own domain. Health Log Analytics creates alerts only for logs that arrive in those data inputs. All relevant records and all data processing in the Health Log Analytics program flow reside in the same domain as the data input. A data input's domain name is shown in the Domain column displayed in the tables in your instance.

    Using domain separation in your instance is transparent to Health Log Analytics. The application manages all aspects of the data, such as system settings and custom operations, separately. When a property is changed, the new value affects new sources only in the specific domain. System properties affecting the server are common to all domains because all domains use the Health Log Analytics server.

    Note:
    Health Log Analytics supports up to 60 kilobytes events per second (EPS) across all domains, without the ability to provide a service level agreement (SLA) to a specific domain and without fairness. If a domain streams a large amount of data, the Health Log Analytics server processes it. Other domains might suffer latency, drops, or other issues as a result, even if they stream a low number of logs. On the MID Server side, 10 kilobytes EPS is expected.

    Use cases

    • An MSP wants to provide the Health Log Analytics application to multiple customers in a similar environment with a single instance​​.
    • An organization with many tenants wants to isolate its sensitive data, such as security logs​.
    • An administrator of a tenant organization wants to define a data input only for their own domain.
    • An operator in a tenant organization wants to view logs only in their own domain​.
    • An operator in a tenant organization wants to provide feedback for alerts only in their own domain​.
    • An MSP Admin wants to view log data from all of their organization's tenant domains.