Domain separation and CDM

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Domain separation is supported for CDM. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Important:
    Starting with the Washington D.C. release, DevOps Config is being prepared for future deprecation. It will be hidden and no longer activated on new instances but will continue to be supported.

    Support level: Basic

    • Business logic: Ensure that data goes into the proper domain for the application’s service provider use cases.
    • The application supports domain separation at run time. The domain separation includes separation from the user interface, cache keys, reporting, rollups, and aggregations.
    • The owner of the instance must set up the application to function across multiple tenants.

    Sample use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the customer must be able to see the SP's response.

    For more information on support levels, see Application support for domain separation.

    Domain separation and CDM overview

    Domain separation for CDM means that only a user in the application's domain or parent domain can access the data. All functionality for CDM works in a domain-separated environment as long as all of the following actions are performed by users within that domain:
    • Create application
    • Create/upload config data
    • Commit changeset
    • Create snapshots
    • Validate snapshots
    • Map policies
    • Export snapshots

    How domain separation works in CDM

    To set up domain separation for CDM:
    1. Create your domain and then create CDM users in that domain.
    2. Only a specified user (CDM admin in that domain) should populate config data in the application's domain.
    3. Only users in the application's domain should upload or create data in the domain.
    Follow these guidelines for successful domain separation:
    • Create a separate user for each domain to perform upload, edit, or export of config data.
    • Only users in the application's domain should upload or create data in the domain.
    • Avoid uploading or creating config data for a given application in multiple domains.
    • Policies and exporters must be either in the application's domain or in the global domain.

    Domain-separated tables in CDM

    CDM tables include a Domain column.
    • sn_cdm_application
    • sn_cdm_changeset
    • sn_cdm_deployable
    • sn_cdm_exporter
    • sn_cdm_exporter_execution
    • sn_cdm_exporter_execution_log
    • sn_cdm_exporter_version
    • sn_cdm_exporter_version_argument
    • sn_cdm_node
    • sn_cdm_node_main
    • sn_cdm_pace_policy_mapping
    • sn_cdm_restricted_groups
    • sn_cdm_snapshot