Domain separation and Configuration Compliance

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain separation and Configuration Compliance

    Domain separation in Configuration Compliance allows ServiceNow customers to logically segregate data, processes, and administrative tasks into distinct domains. This separation ensures that sensitive data and workflows are isolated per tenant, enhancing security and operational efficiency in multi-tenant environments. Domain separation supports controlling user access to data within each domain, enabling service providers to manage multiple customers within a single instance securely.

    Show full answer Show less

    Key Features

    • Domain-aware data ingestion: Test results from third-party scanners like Qualys are ingested into the domain corresponding to the integration user, maintaining strict data segregation.
    • Domain-specific rescanning and CMDB integration: Hosts can be rescanned and matched against CMDB configuration items within the same domain.
    • Risk scoring and remediation: Risk scores and remediation task rules are calculated and applied within the domain, ensuring domain-specific prioritization and task assignment.
    • Deferral workflows and notifications: Approval processes and email notifications remain contained within the originating domain.
    • Reports and dashboards: These display domain-specific compliance data such as test results, risk scores, and remediation status.
    • Multi-tenant support: Knowledge from third-party scanners can be ingested in a global domain and shared as needed, while maintaining domain boundaries elsewhere.

    Key Outcomes

    • Customers gain isolated, secure workspaces for compliance workflows, dashboards, and reports, preventing cross-domain data exposure.
    • Service providers can manage multiple tenants efficiently within a single instance while enforcing strict data access controls.
    • Compliance analysts can independently configure integrations, workflows, remediation rules, and risk scoring within their domains, tailoring processes to tenant-specific needs.
    • The end-to-end life cycle of test results—from ingestion through remediation and deferral—is fully domain-aware, supporting accurate compliance management per customer.
    • Setup of domain separation requires no additional steps; tables automatically include domain columns once domain separation is enabled on the instance.

    Domain separation is supported in Configuration Compliance. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    Support level: Standard

    • Includes all aspects of Basic level support.
    • Application properties are domain-aware as needed.
    • Business logic: The service provider (SP) creates or modifies processes per customer. The use cases reflect proper use of the application by multiple SP customers in a single instance.
    • The instance owner must configure the minimum viable product (MVP) business logic and data parameters per tenant as expected for the specific application.

    Sample use case: An admin must be able to make comments required when a record closes for one tenant, but not for another.

    For more information on support levels, see Application support for domain separation.

    How domain separation works in Configuration Compliance

    With domain separation you can standardize (Configuration Compliance) procedures, across the customer base you serve, with lowered operational costs and a higher quality of service.

    Separate customer work spaces for workflows, dashboards, reports, and so on, ensures that customer data is separated and never exposed to other clients.

    Table 2. Domain separation support in Configuration Compliance by version releases
    Release Support level Notes
    Orlando Standard
    Paris Standard
    Quebec Standard
    Rome Standard
    San Diego Standard
    Tokyo Standard
    Utah Standard
    Vancouver Standard

    Domain separation for the Configuration Compliance application covers the following product functionality:

    • Ingests the test results from third-party scanners (Qualys) in the correct domain.

      The data ingests in the same domain as that of the integration user, whose credentials are used for integration.

    • Re-scans specific hosts from Configuration Compliance in the domain from which it was requested.
    • Uses the CMDB CI lookup process to ensure that the CI information from the scanners matches the CIs in CMDB of the integration user’s domain.
    • Calculates risk scores at the test result level as per the risk score calculator defined in the same domain as that of the integration user.
    • Remediation Task rule(s) can be defined, assigned, and stay in, the same domain as the domain of the integration user.
    • Remediation tasks created using the doc remediation task rules stay in the same domain as where the remediation task rules are created.
    • Deferral workflow goes through the approval process in the same domain for which the deferral is requested.
    • Reports and dashboards display the test result states such as age of test results, open test results by CI, test results by impact in the domain to which it belongs.
    • Knowledge from third-party scanners (Qualys) can be ingested in the global domain and data can be shared across multiple clients.
    Note:
    In all the above cases the overarching principles of visibility in separated domains separation in the ServiceNow AI Platform apply.

    Use cases

    The Configuration Compliance application manages the life cycle of a test result end to end. The following use cases are domain-separation aware:

    • Ingest test results from Qualys
      • Ingest data from multiple instances
      • De-duplicate the test results
      • Match up with CMDB CI
    • Enrichment of test results with risk scores
      • Asset enrichment (CMDB)
      • Risk score
    • Group test results and assign the remediation task
      • Automatically group the test results
      • Automatically assign the remediation task
    • Remediate
      • Remediation task assigned as a remediation task
      • Comprehensive remediation life cycle
      • Deferral workflow
    • Measure the security posture of the organization and compliance management program
      • Results trend, by compliance, category, criticality and technology
      • Status and distribution on policies, tests, hosts, test results, and risk score

    Setup

    Setting up domain separation for Configuration Compliance does not require any additional steps. All Configuration Compliance tables acquire the Domain column after the instance is domain separated. You can direct test result integration import data to specific domains. For more information, see Create domain-separated imports for an integration. For more information on additional precautions and settings, see Additional settings for domain separation.

    Domain-separated data

    Data can be domain separated, which means:
    • Test results ingested from third-party scanners stays in the same domain as the domain of the integration user, and is not accessible from any other domain.
    • Test results or hosts in one domain cannot be viewed from other domains.
    • The risk scoring algorithm and the remediation task rules cannot be viewed by anyone outside the domain.
    • Deferral workflows created in one domain are not visible in another domain.
    • All email notifications are contained within the domain they belong to.

    How compliance analysts manage their own application data

    • Analysts create their own application installation, multi-source application management, and CI lookup rules.
    • Analysts can configure specific integrations exclusively for use within the domain.
    • Analysts can create their own deferral and change management workflows.
    • Analysts can create their own remediation task rules, risk-scoring logic to accurately prioritize results, auto-assign remediation tasks and assign to the correct assignment group.
    • Domain users create a manual remediation task and then close it.

    Business logic and processes that can be domain-separated by instance owner

    • Configuration Compliance users and groups
    • Configuration Compliance integrations (starting with the Madrid release)
    • Complete setup configuration (user and group management, application installation, multi-source application management, CI lookup rules, remediation task rules, risk calculators, etc.)
    • Complete remediation life cycle including deferral