Context and domain separation

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Context and domain separation

    In ServiceNow, the context of a user session governs the processes, data visibility, and user interface elements as users navigate through various components such as list views, home pages, reports, and knowledge articles. This session context is shaped by user profiles, groups, company criteria, and domain configurations established through workflows, business rules, and other system settings.

    Show full answer Show less

    Domain separation enables organizations to segregate data and processes across different business units or customers by assigning users and records to specific domains, thereby controlling access and ensuring data security.

    Key Features

    • User Session Context: Determined primarily by the user's home domain (typically aligned with their company domain) and includes any child domains. This context influences all queries and data interactions within the session, restricting visibility to the user's domain set plus global data.
    • Domain Picker: Automatically set to the user's home domain at login, allowing users to select from domains within their session context to further refine accessible data.
    • Record Context: Activated when users access individual records, where the record's domain governs applicable UI elements and processes. Record context remains consistent even if the user's domain changes during the session.
    • Service Accounts and Integrations: Service accounts also operate within user session contexts, ensuring that integrations respect domain constraints similar to interactive users.
    • Automatic Query Filtering: Domain constraints are automatically appended to database queries, embedded within compiled code, ensuring that data retrieved aligns with the user's session and record contexts.

    Practical Implications for ServiceNow Customers

    • Setting the correct home domain on user records is critical to enforce appropriate data access and branding consistent with the user’s organizational unit.
    • Using the domain picker, users can navigate within their authorized domain hierarchy, enabling flexible yet secure data access.
    • Record context ensures that UI and processes remain domain-appropriate even when users switch domains or open multiple records simultaneously.
    • Understanding domain separation principles helps administrators design and maintain effective data segregation strategies, essential for multi-tenant environments or complex organizational structures.
    • Service accounts and integrations inherit domain constraints, maintaining security and data integrity across automated processes.

    The context of a user's session determines the processes, data, and user interface (UI) as the user browses through list views, home pages, reports, and knowledge articles. The context is determined by the processes that you create, the business rules that you set, your workflows, and other factors.

    User session context

    Many factors determine the context of a user session, such as user profiles, groups, company criteria, and so on. In the following diagram, you see that the incidents that a company has created are part of the context.

    User session context

    The user in this example has a home domain of Cloud Dimensions.

    1. The branding reflects the settings in the Cloud Dimensions domain and company record.
    2. The application navigator shows the items that are inherited from higher-level domains as well as the modules that are defined in the Cloud Dimensions domain.
    3. The home pages and list data reflect the data that is visible to the user. This data is based on the user’s session context. In this case, the user in the Cloud Dimensions domain can see the data in Cloud Dimensions, child domains, and the global domain.

    User session context starts in the home domain

    In the following diagram, you can see the elements of the context.

    User session context home domain

    The system administrator sets users' home domains on their user records. Typically, a user’s home domain is set to the same domain as their company’s domain. When the user logs in, the domain picker sets automatically to the user’s home domain. Users can return to their home domain at any time by clicking the arrow icon on the domain picker.

    The domain picker's list includes domains within the user’s session context. Users may further limit their session context by selecting child domains with the picker.

    The context of the user session includes the user's home domain and any child domains. This set of domains in the user’s session context is appended automatically to every query that is sent to the database. That way, the results are limited to just the data in these domains and global data. This process is embedded in the compiled code that is not accessible.

    Service accounts that are used for integrations also have user session context. There is user context and records context, each with its own data in its own domain. These contexts affect the integrations. Database queries (records) are limited in the same way as interactive users (users), meaning that they work as normal but are limited by whatever constraints the developer has configured.

    You can learn about additional ways to add domains to a user’s session context in Service provider reference architecture.

    Record context

    As a user drills into individual records, record context is activated. The record context determines the UI elements and processes to apply to the record.

    A record’s domain dictates the process, data, and the availability of UI elements within the record.
    Note:
    • Record context persists even if the user's domain changes.
    • Users can view records concurrently in multiple browser tabs, while maintaining their own record context.

    Record context