Visibility domains and Contains domains

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Visibility domains and Contains domains

    This content explains the concepts ofVisibility domainsandContains domainswithin ServiceNow's domain separation framework. These mechanisms control data access and visibility for users and groups across different domains, enabling fine-grained data security and segmentation.

    Show full answer Show less

    Visibility domains

    • Purpose: Control whether specific users or groups can access records from other domains.
    • Association: Linked explicitly to User [sysuser] and Group [sysusergroup] records.
    • Inheritance: Group members inherit the visibility domains granted to their groups; losing group membership removes that access.
    • Scope: A user with a visibility domain sees all data in that domain and its child domains, regardless of the domain picker setting.
    • Nature: It is a direct user-to-domain relationship, not derived from domain hierarchy or domain picker selection.
    • Best practice: Use visibility domains sparingly; contains domains offer more robust control.

    Contains domains

    • Purpose: Define relationships between domains on an as-needed basis beyond the standard parent-child hierarchy.
    • Relationship: Many-to-many domain-to-domain, allowing flexible domain groupings.
    • Visibility: Selecting a domain shows data from that domain and its child domains.
    • Control: Governed by the domain picker; users see data based on their selected domain.
    • Effect on processes: Contains domains only affect data visibility, not process execution.
    • Scope setting: When opening a domain record, initial scope is limited to that domain's children; use 'Toggle Domain Scope' to see the full contains domain list.

    Practical examples

    • Contains domain example: If user’s home domain is A, which contains domains B and C, they see data from A, B, and C by default. Changing the domain picker to B limits visibility to B only.
    • Visibility domain example: Users in separate domains like Database and Network cannot access each other’s records (e.g., incidents) without explicit visibility domain grants, maintaining strict data separation.
    • Inheritance: Users inherit visibility domains granted to their groups, simplifying access management.

    Why this matters for ServiceNow customers

    Understanding and correctly configuring visibility and contains domains allows ServiceNow customers to:

    • Enforce strict data access controls across organizational boundaries.
    • Provide users with appropriate visibility to domain-specific data.
    • Maintain data separation while enabling flexible sharing where necessary.
    • Use the domain picker effectively to control user data views based on their current working domain.

    Following recommended practices ensures robust security and efficient management of domain-separated data.

    Visibility domains control what a specific user or group of users can see. "Contains" domains control what an entire domain of users can see.

    Visibility domains

    The "Visibility domains" element determines whether users from one domain can access records from another domain. Associate this element with User [sys_user] and Group [sys_user_group] records in related lists on those records. Groups grant their members the visibility domains of the group. When a user leaves a group, they lose the group's visibility domains. Granting users a visibility domain grants all the rights to the records in that domain based on ACL (access control list) rules.

    A visibility domain:

    • Is a user-to-domain relationship and is explicitly granted.
    • Is not a child domain.
    • Is not controlled by the selection in the domain picker. Users with access to a visibility domain always see data in that domain and its child domains.
    Note:
    Using visibility domains excessively is not recommended. Although visibility is one method to allow users to access records, it's best to use contains domains for more robust control.

    Contains domains

    Normally parent-child relationships define the domain hierarchy. A contains domain lets you relate domains on an as-needed basis, independent of parent-child relationships. However, contains domains grant visibility only to domain data. Processes remain unaffected by contains relationships.

    A contains domain:

    • Is a many-to-many, domain-to-domain relationship.
    • May have child domains. When a domain is selected, you can see the data from that domain and its children.
    • Is controlled by the selection in the domain picker.
    Note:
    When you open the domain record, the scope is set to that record's domain, so you can see only child domains. Choose Toggle Domain Scope from the menu to populate the related list.

    Contains domain example

    When a user's home domain is A, and the A domain contains domains B and C, they all become peer domains. That means the user sees data from domains A, B, and C while in their home domain A. If users change domains with the domain picker to Domain B, they see only data in Domain B. When users interact with a record from Domain B or Domain C directly, they see only data for that domain.

    Visibility domain example

    Using domain visibility, if Don Goodliffe is in the Database domain, and Bow Ruggeri is in the Network domain, and no incidents are in the global domain, then Don cannot access Bow's incidents because of data separation.

    Inheriting visibility domains based on group membership

    If you set the domain table to the Group [sys_user_group] table, users can inherit visibility domains based on their group membership.