Domain separation and Cloud Provisioning and Governance

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain Separation and Cloud Provisioning and Governance

    Domain separation in Cloud Provisioning and Governance allows you to logically group data, processes, and administrative tasks into domains. This feature enables control over user access and visibility of data, supporting multiple service providers (SPs) to manage customer data securely. It is essential for ensuring proper data management across various tenants in the cloud environment.

    Show full answer Show less

    Key Features

    • Data Separation: SPs can provide data separation for multiple customers, ensuring relevant customer data and processes are contained within their respective domains.
    • Domain Assignment: Users are assigned to domains linked to specific companies, and all related entities must reside within the same domain.
    • Visibility Control: Users can only view data in their own domain or child domains, maintaining strict data governance.
    • Plugin Requirements: Activation of specific plugins is necessary to enable domain separation and catalog item separation.
    • Customization: Domain and Domain Path fields can be added to list views by domain administrators for better visibility of domain-related data.

    Key Outcomes

    By implementing domain separation, ServiceNow customers can effectively manage their cloud provisioning and governance services, ensuring secure and organized data handling. Customers can expect enhanced data security, improved administrative control, and a clearer structure for managing multiple clients within the same platform.

    Next Steps

    For further guidance on creating, implementing, and maintaining domain separation in your Cloud Provisioning and Governance setup, refer to the detailed documentation on domain separation considerations for service providers.

    Domain separation is supported in Cloud Provisioning and Governance. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Basic

    • Business logic: Ensure that data goes into the proper domain for the application’s service provider use cases.
    • The application supports domain separation at run time. The domain separation includes separation from the user interface, cache keys, reporting, rollups, and aggregations.
    • The owner of the instance must set up the application to function across multiple tenants.

    Sample use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the customer must be able to see the SP's response.

    For more information on support levels, see Application support for domain separation.

    Cloud Provisioning and Governance domain separation overview

    All tables in Cloud Provisioning and Governance are not domain separated. Delegated domain separation is not supported.

    Domain separation for Cloud Provisioning and Governance supports:

    Service Providers (SPs) using the application to provide data separation.
    In this scenario, SPs can provide data separation to multiple customers, where domains are necessary to contain all relevant customer data and processes. For example, an SP provides support to customers who typically use Cloud Provisioning and Governance to manage their IT infrastructure on the cloud. SPs can provide catalogs, template profiles, resource pools, and filter, resource profiles, quotas, permissions, IP address management (IPAM), lease and business hours scheduling, and a view to billing, as domain-separated offerings to their customers.

    How domain separation works in Cloud Provisioning and Governance

    Domain separation for Cloud Provisioning and Governance aligns one or more companies to a domain. To use domain separation with the application, assign all user accounts to a specific company associated with that domain.

    All entities that are related to the company, such as cloud accounts and service accounts, are created in the same domain as the company. When a new company is created, create a domain with a unique name and assign it to the company. All related entities for an account, such as contacts and cases, must reside in the same domain. When you create a related entity for a domain-separated account, the entity is assigned to the company domain.

    Members of a domain can only view the data that is contained within their domain or child domains that are lower in the domain hierarchy. By default, all users and all records are members of the global domain unless you assign them to a particular domain. Once you assign a user or a record to a domain, the instance compares the user's domain to the record's domain to determine whether the user can view the record.

    Service Providers (SPs) use domain separation to segregate data for each customer. Users in a given domain can only view the data in their own domains or in child domains. SPs typically control the top-level domain, which allows them to view data that is associated with all domains. Don't delegate administration to cloud admin users of the child domains in Cloud Provisioning and Governance.

    Set up domain separation for Cloud Provisioning and Governance

    Ensure that you activate the following plugins:
    Domain Support - Domain Extensions Installer plugin (com.glide.domain.msp_extensions.installer) to enable domain separation in Cloud Provisioning and Governance
    Service Catalog - Domain Separation plugin (glideapp.servicecatalog.domain_separation) to enable separation of catalog items in different domains in Cloud Provisioning and Governance

    Changes to Cloud Provisioning and Governance tables

    Domain separation for Cloud Provisioning and Governance adds the Domain and Domain Path fields to the list views. These fields are not exposed by default. As a domain admin you can customize lists and forms to view these fields. Not all tables in Cloud Provisioning and Governance are domain separated. While some top-level tables are domain separated, several child tables are not domain separated. However, this does not impact how the Cloud Provisioning and Governance application works in a domain-separated context.

    Account domains and related entities

    When you create related entities for an account, the domain for the related entities is set to the account domain.

    Domain visibility for cloud administrators and users

    Manually assign users with the Cloud User Portal (sn_cmp.cloud_service_user) roles and Cloud Admin Portal (sn_cmp.cmp_root_admin) roles for each domain to the TOP/MSP/Default/Company or leaf domain. Domain administrators and users in Cloud Provisioning and Governance can only view data in the domain that they are created in, until they are assigned to the TOP domain. The Top domain represents a single common parent domain, which acts as a single parent node, for the Service Provider domains.

    Next Steps

    For more information on creating, implementing, and maintaining domain separation for Cloud Provisioning and Governance services in the instance you are setting up for your customers, see Domain separation in Cloud Provisioning and Governance - considerations for service providers.