Hermes Messaging Service domain separation

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Hermes Messaging Service domain separation

    The Hermes Messaging Service supports domain separation, allowing you to logically group data, processes, and administrative tasks into distinct domains. This separation controls user access and visibility, ensuring that data is properly segmented for multi-tenant use cases within ServiceNow instances.

    Show full answer Show less

    Domain separation applies to various components including the user interface, cache keys, reporting, rollups, and aggregations. It enables service providers to securely manage conversations and data with tenant-customers, ensuring that responses are visible only to authorized users.

    How domain separation works with Hermes Messaging Service

    On domain-separated instances, namespaces are used to control which domains can access specific Kafka topics within the Hermes Kafka cluster. A user with the kafkanamespaceadmin role assigns namespaces to ServiceNow domains, ensuring all topics in that namespace belong to the assigned domain.

    Users can only view and interact with topics and namespaces they have permissions for, enforced by domain visibility and access control lists (ACLs). Topics created under the Default Namespace belong to the global domain.

    Both Kafka Topics and Kafka Namespaces tables are domain-separated and protected by ACLs to restrict access appropriately.

    Key requirements

    • Instance owner must configure the application to operate across multiple tenants.
    • The Domain Support - Domain Extensions Installer plugin (com.glide.domain.mspextensions.installer) is required for all domain separation features.

    Practical benefits for ServiceNow customers

    • Enables secure, multi-tenant messaging by isolating data and access per domain.
    • Supports compliance with organizational and regulatory requirements for data segregation.
    • Provides granular control over which users and domains can access messaging topics.
    • Ensures that service provider interactions with tenant-customers remain properly isolated and visible only to authorized participants.

    Domain separation is supported for the Hermes Messaging Service. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Basic

    • Business logic: Ensure that data goes into the proper domain for the application’s service provider use cases.
    • The application supports domain separation at run time. The domain separation includes separation from the user interface, cache keys, reporting, rollups, and aggregations.
    • The owner of the instance must set up the application to function across multiple tenants.

    Sample use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the customer must be able to see the SP's response.

    For more information on support levels, see Application support for domain separation.

    Overview

    On a domain-separated instance, you can use namespaces to configure which domains can access specific topics in the Hermes Kafka cluster. You assign topics to ServiceNow domains using the topic record's namespace.

    How domain separation works with the Hermes Messaging Service

    On a domain-separated instance, a user with the kafka_namespace_admin role can assign namespaces to specific ServiceNow domains. When the Kafka namespace admin assigns a namespace to a particular domain, all the topics created in that namespace will have the same domain. Users can only see and interact with the topics and namespaces they have access to, based on domain visibility and access control lists (ACLs). Topics created with the Default Namespace are created in the global domain.

    Both the Kafka Topics [sys_kafka_topic] table and the Kafka Namespaces [sys_kafka_namespace] table are domain-separated tables. Domain separation rules filter which records are available in each domain. In addition to being domain-separated, these tables can also be protected with ACLs, just like any other table.

    All domain support features require the Domain Support - Domain Extensions Installer (com.glide.domain.msp_extensions.installer) plugin.