Learn about domain separation

  • Release version: Xanadu
  • Updated August 1, 2024
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Learn about domain separation

    Domain separation in ServiceNow's UI Builder enables the logical partitioning of data, processes, and administrative tasks into distinct domains within a single instance. This multi-tenant architecture allows ServiceNow customers to control user access and visibility to domain-specific data and configurations, ensuring secure and isolated environments for different tenants or business units.

    Show full answer Show less

    UI Builder supports domain separation by allowing developers and dashboard builders to safely create or customize web-based workspace screens and dashboards within domain-separated environments, even when working in the same browser session. This capability parallels application scope, helping administrators maintain stability and governance across multiple domains.

    Standardization is critical for managing numerous domains effectively; most configurations should remain common across the instance to reduce complexity and support seamless upgrades.

    How Domain Separation Works in UI Builder

    • UI Builder comprises interrelated components for creating workspaces, dashboards, and portals, with domain separation applied selectively depending on the component or table.
    • Data separation ensures that records, such as change requests, display only to users with access to the respective domain.
    • Process/UI separation is supported via override mechanisms, allowing sub-domain customizations without affecting the global definition.
    • If a user’s current domain differs from a record’s domain, the record is read-only unless the user switches domains or creates an override, temporarily transacting within that domain.

    Domain Selection and Managing Overrides

    • System administrators or users with the uibuilderadmin role can access a Domain Selection menu in UI Builder to switch between domains before creating or editing variants or dashboards.
    • Access to the Domain Selection menu requires additional roles or configuration via system properties.
    • The menu supports expanding or collapsing domain scopes to display variants and overrides across domain hierarchies.
    • Overrides allow creating domain-specific copies of variants or dashboards, which become independent and unaffected by changes in the original variant.
    • Editing within the same domain scope as the variant or dashboard minimizes accidental overrides.
    • Overrides exclude screen conditions and audiences, which must be recreated in the override domain to tailor user visibility.
    • Overrides cannot be created in Global if sub-domain versions or overrides already exist.
    • Users can view domain hierarchies and existing overrides to understand configurations applied across domains.

    Viewports and Declarative Actions

    • Viewports, which are variants themselves, are domain separated and can be overridden per domain; however, some nested viewports may not copy during overrides.
    • Declarative Actions support domain-specific overrides, requiring users to select the appropriate domain before creation.

    Practical Considerations for ServiceNow Customers

    • Use domain separation to securely manage multi-tenant environments within one ServiceNow instance, controlling access and customization per tenant.
    • Maintain standardization across domains where possible to reduce configuration sprawl and ease platform upgrades.
    • Leverage domain selection and override features in UI Builder to customize user interfaces safely without impacting other domains.
    • Understand the scope of domain separation in UI Builder components and data to ensure correct access and editing permissions.
    • Plan governance carefully to handle domain-specific requirements and avoid conflicts or unintended overrides.

    Domain separation is supported for UI Builder . Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Standard

    • Includes all aspects of Basic level support.
    • Application properties are domain-aware as needed.
    • Business logic: The service provider (SP) creates or modifies processes per customer. The use cases reflect proper use of the application by multiple SP customers in a single instance.
    • The instance owner must configure the minimum viable product (MVP) business logic and data parameters per tenant as expected for the specific application.

    Sample use case: An admin must be able to make comments required when a record closes for one tenant, but not for another.

    For more information on support levels, see Application support for domain separation.

    Overview

    UI Builder is a web user interface builder. UI Builder enables developers to build new pages or customize existing pages for web-based workspace experiences using Next Experience Components and custom web components. In addition, UI Builder supports Domain Separation, which is the ServiceNow® instance-wide multi-tenant architecture.

    Enable developers or dashboard builders in domain-separated environments to safely create UI application screens or dashboards while in the same browser window. Domain Separation in UI Builder works similarly to application scope to help administrators safely create or edit in a multi-tenant environment.

    It’s important to understand a key principle to maintaining a stable, healthy, and scalable ServiceNow® instance, where Domain Separation is installed.The primary principle is standardization. Standardization means a common configuration that most the instance operates by. When an instance has hundreds or thousands of domains, managing them successfully requires rigorous governance. Domain-specific configurations should be used only if they are deemed necessary by the instance owners. Generally, most instances should follow the common instance configuration. Doing so provides a more uniform experience across the instance. It also lets instance owners minimize code sprawl that slows the adoption of new ServiceNow® features included as part of release upgrades.

    How domain separation works in UI Builder

    Domain separation in UI Builder works similarly to application scope to help administrators safely create or edit in a multi-tenant environment.

    UI Builder is compromised of a framework of interlocked components that you use to create web-based workspaces, dashboards, or portals. While the application supports domain separation, it does not mean every component or table is domain separated, which is important for instance owners to understand.

    If the current domain does not match the domain of the variant or dashboard, the record is read-only. If a user has access to the domain, they can choose to switch their domain to the domain of the record. Alternatively, users can edit the record. Editing the record temporarily forces the user session into that record’s domain. They can then make edits without fear of accidentally creating an override.

    The following diagram shows what is (in green) and is not (in blue) domain separated in UI Builder.

    Diagram of what is, and what is not, domain separated in UI Builder.

    Not shown in the diagram are viewports, declarative actions, and screen applicabilities, which are domain supported as process.

    Data and Process/UI separation are important when considering domain separation architecture. UI Builder fully supports data and process/UI separation, and any data (records) displayed in the web-based workspace, dashboard, or portal experiences.

    For example, a change request that belongs to the domain of Acme only shows for users who have access to the domain of Acme in an experience built using UI Builder. Conversely, if an application does not support data separation, its records won't be domain separated by the workspace or portal experience.

    Process/UI separation tables that form the underpinning framework in UI Builder are process separated, and a sys_override column exists on those tables. For example, if a page is created in Global, any changes to the logic created and saved in a sub domain results in an override.

    For items that are not domain separated, any change to the logic globally affects any page or dashboard that references its content. Understanding domain separation is critical when interacting with these elements.

    Domain Selection menu, messaging, and managing overrides

    When designing a workspace, dashboard, or portal experience using the UI Builder (including Dashboard Builder), a system administrator or ui_builder_admin has access to a Domain Selection menu in UI Builder. A system administrator or ui_builder_admin should switch to the proper domain prior to creating, editing, or overriding a variant or dashboard page.

    By default, the ui_builder_admin role does not have access to the Domain Selection menu. The Domain Selection menu must be coupled with a role that grants access, such as ITIL, or it can be added via system property. For more information, see Enable domain selection menus in Core UI.

    In addition, the Domain Selection menu also shows Expand/Collapse Domain Scope, that is displayed while the system administrator or ui_builder_admin is in Global. Select Expand to show any variant or dashboard that has been overridden, or exists as a standalone in a sub domain. Select Collapse to only show variants or dashboards created in Global.

    Lastly, domain hierarchy is available from the Domain Selection menu. For deep-domain hierarchies, the user may have to collapse the branches of the domain hierarchy to physically select the domain. In these environments, perform a search to find the domain.

    UI Builder has governance controls for editing and overriding variants or dashboards, similar to the way application scope is handled. Both application scope and domain scope are handled concurrently in UI Builder.

    For example, if a variant was created in Global, but the current domain of the system administrator is set to Acme, then that variant is read-only. As long as that screen is not in a private scope that prevents editing, the system administrator or ui_builder_admin have two options. They can temporarily transact into the global domain if they have access to Global. Or, they can create an override.

    You can edit the domain separation to make quick changes to the variant or dashboard and its content. When you edit the domain, you temporarily transact into the same domain scope as the variant or dashboard. Going into the same scope prevents accidental overrides when modifying certain settings such as Name, Order, Event Mappings, Page Definition configurations) tied to the variant. While in edit mode, not all settings are available in page management. For full capabilities, switch into the correct domain prior to editing the record.

    Create Override allows a system administrator or ui_builder_admin to create an override of an existing variant or dashboard. Create an override of a variant or dashboard to perform an extensive copy of the page definition content, minus screen conditions and audiences in the user’s currently selected domain. The sys_override column is then updated appropriately.

    Viewports, which are variants in and of themselves, are domain separated, and are typically nested inside page definition content. Some viewports may not copy over. For example, a viewport (displayed as a tab set) that was created as an override in a domain of a Global viewport would not be carried in the page definition content during the override creation process.

    As screen conditions and audiences may be specific to a domain, this content is not carried over during the override creation process. A screen prompts the system administrator or ui_builder_admin to create screen conditions and audiences.

    A user cannot create an override of a variant or dashboard in Global if the item exists in a sub domain, or if an override exists for that variant or dashboard in the same sub domain.

    After the override and the conditions and audiences are set, the content and configurations can be configured as needed. As standard to domain separation, the override is no longer affected by any changes done to the original variant or dashboard. The workspace, dashboard, or portal experience displays these overridden configurations if the user’s current domain session is within the affected domain or sub domains where this override was created. Audiences further determine what a user may or may not see.

    In addition, a user can access the domain hierarchy to view existing overrides from higher domains. For example, Global <- Top <- Acme <- Current domain. If no overrides exist, the default variant or dashboard are displayed. The exception is if the default variant or dashboard is in a child domain or a peer domain.

    Example overrides in domain separation.

    If you select Expand Domain Scope while in Global, all variants and overrides in sub domains are shown as previously mentioned.

    System administrators and ui_builder_admin can see what has been created in the ServiceNow® platform.

    Viewports and domain separation

    Viewports are variants that can be nested in page definition content. They can be created as a common configuration in Global, or can be overridden per sub domain.

    Declarative actions and domain separation

    Declarative Actions can be overridden per domain as well. A system administrator or ui_builder_admin should select the appropriate domain prior to creating a domain specific declarative action override.