Exploring domain separation

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring domain separation

    Domain separation in ServiceNow enables customers to logically segregate data, processes, and administrative tasks into distinct domains within a single instance. This approach is ideal for organizations needing strict data segregation between business entities, customized business processes and user interfaces per domain, and some global processes and reporting.

    Show full answer Show less

    It supports scenarios involving separation of data between service providers, customers, partners, or sub-organizations, especially when there are minor to moderate process variations among customers.

    Key Features

    • Data Separation: Users only see data within their domain or child domains, ensuring strict data visibility controls based on domain membership.
    • UI Separation: Tenant-specific customization of UI elements such as views, lists, and labels to tailor the user experience.
    • Business Logic Separation: Ability to create domain-specific system policies like email notifications, business rules, client scripts, UI policies, and UI actions.
    • Hierarchical Modeling: Supports nested multi-tenancy where parent domains can access child domain resources, with business logic cascading appropriately and override capabilities at any domain level.
    • Cross-Tenant Intelligence (Domain Scope): Automatically manages data, metadata, business logic, and processing contexts for tenants with access to multiple domains.

    Domain separation modifies tables by adding a domain field to enable domain assignment. Visibility domains govern what individual users or groups can see, while “Contains” domains control visibility for entire domains.

    Comparison to Separate Instances

    Domain separation provides multi-tenancy within a single instance, sharing some global properties and processes. For example, global system features like the “Remember me” option on login apply to all domains and cannot be domain-specific.

    If complete isolation of system properties and processes is required without the need for global reporting or processes, deploying separate instances is recommended instead of domain separation.

    Considerations and Administration

    Activating domain separation adds administrative overhead and cannot be removed once enabled, though it can be disabled. Customers should consult their ServiceNow representative to ensure domain separation fits their environment before implementation.

    Domain separation supports delegated configuration for service providers to offer specific services to customers but generally does not allow customers to self-administer beyond limited areas.

    Additional Information

    • Domain paths are used for customer identification instead of domain numbering, with migration assistance available from Customer Service and Support.
    • Domain separation introduces new or modified platform components to support multi-tenancy and domain-specific configurations.
    • ServiceNow provides recommended practices and related plugins to support domain separation implementation for service providers.

    With domain separation you can separate data, processes, and administrative tasks into logically defined domains.

    Domain separation is best for those customers who:

    • Need to enforce absolute data segregation between business entities (data separation).
    • Customize business process definitions and user interfaces for each domain (delegated administration).
    • Maintain some global processes and global reporting in a single instance.
    • Separate data between service providers, customers, partners, or sub-organizations.
    • Have minor or moderate process differences among customers.

    Domain separation compared to separate instances

    While domain separation provides multi-tenancy support, multi-tenancy is still contained within a single instance. Some global properties, data, and processes are shared across all domains. For example, having the system Remember me on the login page of the system is global and cannot be specified per domain.

    If you need complete and total separation of all system properties and do not require global reporting or global processes, then separate instances are the best option.

    Data separation

    Members of a domain see only the data contained within their domain or the child domains that are lower in the domain hierarchy. By default, all users and all records are members of the global domain unless an administrator assigns them to a particular domain. Once you assign a user or a record to a domain, the instance compares the user's domain to the record's domain to determine whether the user can view the record.

    ServiceNow applications are defined with the following incremental support levels. These levels are based on the perspective of actual use cases and personas.

    Data Separation: Tenants see only data that they have permissions to see. Tenants can be granted access to other tenant data, but cannot query tenant data if they don't have access.

    UI Separation: Supports a tenant-specific experience for UI elements such as views, lists, labels, and so on.

    Business Logic Separation: You can create tenant-specific system policies such as email notifications, business rules, client scripts, UI policy, and UI actions.

    Hierarchical Modeling: Nested-multi-tenancy so parent tenants can access child tenant resources. Business logic for parent tenants runs automatically for child tenants, and can be overridden at any level.

    Cross-Tenant Intelligence (Domain Scope): Handles automatically the data, metadata, business logic, and processing context for tenants that have access to additional tenant data.

    In general, data defined at a higher level in the domain hierarchy is not visible at lower levels in the hierarchy.

    Sample domain separation hierarchy

    Domain path migration

    Domain paths are used for all customers. Domain numbering is not used. Customer Service and Support can assist in the upgrade.

    Alternatives to domain separation

    Separate instances are a common alternative to domain separation. This provides a great degree of flexibility in meeting the requirements for customers and stakeholders with little to no impact on others.

    Alternatives to domain separation
    Warning:
    Before activating domain separation, consult your representative to verify that it is suitable for your environment. Domain separation adds a level of administration overhead. Although it can be disabled, it cannot be removed from an instance.