Domain separation and Safe Workplace suite

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain separation and Safe Workplace suite

    The Safe Workplace suite in ServiceNow supports domain separation at the Basic level for most applications, except the Safe Workplace Dashboard. Domain separation enables you to partition data, processes, and administrative tasks into distinct logical domains, controlling user visibility and data access per domain. This capability is essential for organizations managing multiple tenants or groups to ensure data security and operational isolation.

    Show full answer Show less

    Domain Separation Support Levels

    • Basic: Data is separated by domain with logic for correct data routing, caching, rollups, and aggregations. Global configuration works across tenants.
    • Standard: Application properties are domain-aware, and business logic can be separated by tenant as configured by the instance owner.
    • Enhanced: Tenants can configure domain-specific business logic through the UI, enabling safer customization without affecting others.

    Safe Workplace Applications and Domain Separation

    Applications using the Safe Workplace domain table include Contact Tracing, Health and Safety Testing, Emergency Outreach, and Emergency Exposure Management. Administrators must install the Domain Separation plugin to work with these tables, many of which include a sysdomain field to enable data partitioning.

    Core Tables and Scheduled Jobs

    • Core Domain Table: snimtcoredomain manages domains used by scheduled jobs.
    • Property Table: snimtcoreproperty extends system properties with domain-awareness, allowing property values to be overridden per domain.
    • Scheduled jobs run separately within each domain, using the core domain table as the source, with the Domain Iterator option enabled by default to allow multi-domain execution.

    Important Considerations

    • Parent-child domain structures are not supported to avoid duplicate processing by scheduled jobs.
    • Some application tables do not have domain separation enabled (sysdomain field missing), indicating no data partitioning for those tables.

    Working with Domain-Separated Properties

    After installing the Domain Separation plugin, domain-separated properties in Safe Workplace applications do not display by default. To manage them:

    • Create new overrides for properties per domain via the Properties page.
    • Use specific prefixes (e.g., snimtcore, snimtdiagnosis) to filter properties relevant to each Safe Workplace application.
    • Property overrides allow tailored configuration per domain while maintaining centralized control.

    Practical Benefits for ServiceNow Customers

    • Enables secure multi-tenant or multi-group data and process segregation within Safe Workplace applications.
    • Supports compliance and privacy requirements by isolating sensitive workplace safety data per domain.
    • Allows domain-specific customization of application properties and business logic without impacting other domains.
    • Facilitates efficient administration with domain-aware scheduled jobs and property management.

    The Safe Workplace suite applications support domain separation at the Basic level with the exception of Safe Workplace Dashboard.

    With domain separation, you can separate data, processes, and administrative tasks into logical groupings called domains. You can then control aspects in each domain, including what users can see or whether they can access the data.

    Domain separation support

    ServiceNow applications that support domain separation might support the separation of data and data routing only, have advanced business logic separation, or support customer-level administration of the application. ServiceNow applications are defined with incremental support levels from the perspective of actual use cases and the people who use them.
    • Basic
      • Data is domain-separated.
      • Logic exists to ensure proper data routing, caching, rollups, and aggregations.
      • Global configuration is operational for multiple tenants
    • Standard
      • Application properties are domain-aware as needed.
      • Business logic can be domain-separated by the instance owner per tenant.
    • Enhanced: Data-driven process enables failsafe configuration by tenants through the UI to drive business logic.

    For more detail on the support levels, see Application support for domain separation.

    How domain separation works in Safe Workplace applications

    The following applications use the Safe Workplace domain table:
    • Contact Tracing
    • Health and Safety Testing
    • Emergency Outreach (Daily Contact Logs, Privacy Consent, and Privacy Consent (common))
    • Emergency Exposure Management

    Admins must install the Domain separation pluginbefore working with these application tables. Most of those tables contain a sys_domain field so they are able to be domain-separated if they have data that needs to be partitioned by domain.

    • Core domain table: Included in the Safe Workplace plugin is an sn_imt_core_domain table. Domains in this table are iterated when scheduled jobs run.
    • Property table: The sn_imt_core_property table extends the sys_properties table and adds a sys_domain field. Adding that field allows sys_properties values to be overridden for a domain.
    Note:
    Values are handled differently for password2​ fields than for other property types. Therefore, the value displays as blank in the domain-separated properties list view.

    The following tables do not have the sys_domain field:

    • app-imt-checkin
      • sn_imt_checkin_outreach_sysauto_script (extends sysauto_script)
      • sn_imt_checkin_response_criteria
      • sn_imt_checkin_response_option_for_health
      • sn_imt_checkin_response_option_survey
      • sn_imt_checkin_response_script
    • app-imt-diagnosis: task_compliance_result
    • app-imt-tracing
      • sn_imt_tracing_wifi_access_register_job
      • sn_imt_tracing_wifi_access_register_stage
    • app-imt-core: sn_imt_core_sysauto_script (extends sysauto_script)

    Scheduled jobs in applications with this level of domain separation run separately for each domain in the table. Scheduled jobs use the core table as the domain source table, and the Domain Iterator check box is automatically enabled by default when domain separation is installed. When the Domain Iterator option is enabled, the job can run in multiple domains.

    The Domain Source Table value is also set to Safe Workplace Domains by default. If you don't see the tables, verify that the Domain Iterator and Safe Workplace Domains settings are selected, and refresh the instance.
    Figure 1. Domain iterator option selected in the Employee Readiness Core Scheduled Script Execution form
    Domain iterator option selected in the Employee Readiness Core Scheduled Script Execution form.

    Parent-child domains

    Domains that also contain a sub-domain or “child” domain are not supported in these applications. Running a job in a parent domain that has a child would mean running the job twice and thus processing the data more than once. You could add a parent domain or add just the child domain but not both.

    Working with domain-separated properties in the Safe Workplace Suite

    When the Domain separation plugin is installed and you navigate to the Properties page in any of the four Safe Workplace domain-separated applications, their properties do not display by default. You must override properties for a domain before they appear in the list.
    Figure 2. Domain-separated properties list with no properties displaying
    Domain-separated properties list with no properties displaying.
    To display the properties, click New on the Properties page. In the form that creates a new domain-separated property, search in the reference field for the property you would like to override. Enter a specific prefix to narrow your search:
    • sn_imt_core for Employee Readiness Core
    • sn_imt_diagnosis for Emergency Exposure Management
    • sn_imt_health_testing for Health and Safety Testing
    • sn_imt_tracing for Contact Tracing
    Figure 3. Entering a prefix in the Property field to narrow the search
    Entering a prefix in the Property field to narrow the search.
    The properties display with a full description of the overrides.
    Figure 4. System Properties list showing the property overrides
    System Properties list showing the property overrides.
    After you create your domain-separated property override, the form displays the domain-separated properties.
    Figure 5. List showing the domain-separated properties
    List showing the domain-separated properties.

    You can navigate back to the record form by selecting a property name in the list.

    Property functions

    Learn more about how these properties function in the following topics: