Domain separation and Cloud Provisioning and Governance

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain separation and Cloud Provisioning and Governance

    Domain separation in Cloud Provisioning and Governance enables ServiceNow customers, especially service providers (SPs), to logically segregate data, processes, and administrative tasks into distinct domains. This separation ensures that users can only access data within their assigned domain or its child domains, enhancing data security and multi-tenant management. The feature supports proper data isolation for customers managed by SPs, allowing them to provide tailored cloud infrastructure management and service offerings.

    Show full answer Show less

    Key Features

    • Data and Process Segregation: Domains logically group users, cloud accounts, service accounts, and related entities, ensuring that all associated data remains within the domain.
    • Access Control: User access is restricted by domain membership, with users only able to view data in their domain or subordinate domains.
    • Service Provider Use Cases: SPs can manage multiple customers through domain-separated catalogs, templates, resource pools, quotas, permissions, IP address management, scheduling, and billing views.
    • Domain Assignment: Companies and their user accounts are aligned to specific domains, and related entities inherit the domain of their parent account, maintaining consistent data separation.
    • Global and Top Domains: By default, records and users belong to the global domain, but assignment to specific domains controls visibility. SPs typically control the top-level domain to oversee all customer domains.
    • Plugin Activation Requirements: To enable domain separation, customers must activate the Domain Support - Domain Extensions Installer plugin and the Service Catalog - Domain Separation plugin.
    • Table Modifications: Domain and Domain Path fields are added to relevant list views for domain visibility, though not all tables are domain separated; this does not affect overall functionality.
    • Role Assignments: Users with Cloud User Portal and Cloud Admin Portal roles must be manually assigned to appropriate domains to enforce domain-based access.

    Practical Considerations for ServiceNow Customers

    • Domain separation must be configured by the instance owner to enable multi-tenant operation and data isolation for SPs and their customers.
    • SPs should avoid delegating administration to cloud admin users in child domains to maintain control and security.
    • Proper domain assignment for companies, users, and related entities is critical to ensure consistent data segregation and access control.
    • Activation of required plugins is essential to enable domain separation features across Cloud Provisioning and Governance components, including service catalogs.
    • Domain separation supports operational scenarios where SPs manage multiple customers’ cloud resources while providing secure, isolated service experiences.

    Next Steps

    To implement and maintain domain separation effectively, customers should consult detailed guidance on domain separation considerations for service providers. This will aid in setting up domains, assigning users, and managing domain-specific data and processes within Cloud Provisioning and Governance.

    Domain separation is supported in Cloud Provisioning and Governance. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Basic

    • Business logic: Ensure that data goes into the proper domain for the application’s service provider use cases.
    • The application supports domain separation at run time. The domain separation includes separation from the user interface, cache keys, reporting, rollups, and aggregations.
    • The owner of the instance must set up the application to function across multiple tenants.

    Sample use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the customer must be able to see the SP's response.

    For more information on support levels, see Application support for domain separation.

    Cloud Provisioning and Governance domain separation overview

    All tables in Cloud Provisioning and Governance are not domain separated. Delegated domain separation is not supported.

    Domain separation for Cloud Provisioning and Governance supports:

    Service Providers (SPs) using the application to provide data separation.
    In this scenario, SPs can provide data separation to multiple customers, where domains are necessary to contain all relevant customer data and processes. For example, an SP provides support to customers who typically use Cloud Provisioning and Governance to manage their IT infrastructure on the cloud. SPs can provide catalogs, template profiles, resource pools, and filter, resource profiles, quotas, permissions, IP address management (IPAM), lease and business hours scheduling, and a view to billing, as domain-separated offerings to their customers.

    How domain separation works in Cloud Provisioning and Governance

    Domain separation for Cloud Provisioning and Governance aligns one or more companies to a domain. To use domain separation with the application, assign all user accounts to a specific company associated with that domain.

    All entities that are related to the company, such as cloud accounts and service accounts, are created in the same domain as the company. When a new company is created, create a domain with a unique name and assign it to the company. All related entities for an account, such as contacts and cases, must reside in the same domain. When you create a related entity for a domain-separated account, the entity is assigned to the company domain.

    Members of a domain can only view the data that is contained within their domain or child domains that are lower in the domain hierarchy. By default, all users and all records are members of the global domain unless you assign them to a particular domain. Once you assign a user or a record to a domain, the instance compares the user's domain to the record's domain to determine whether the user can view the record.

    Service Providers (SPs) use domain separation to segregate data for each customer. Users in a given domain can only view the data in their own domains or in child domains. SPs typically control the top-level domain, which allows them to view data that is associated with all domains. Don't delegate administration to cloud admin users of the child domains in Cloud Provisioning and Governance.

    Set up domain separation for Cloud Provisioning and Governance

    Ensure that you activate the following plugins:
    Domain Support - Domain Extensions Installer plugin (com.glide.domain.msp_extensions.installer) to enable domain separation in Cloud Provisioning and Governance
    Service Catalog - Domain Separation plugin (glideapp.servicecatalog.domain_separation) to enable separation of catalog items in different domains in Cloud Provisioning and Governance

    Changes to Cloud Provisioning and Governance tables

    Domain separation for Cloud Provisioning and Governance adds the Domain and Domain Path fields to the list views. These fields are not exposed by default. As a domain admin you can customize lists and forms to view these fields. Not all tables in Cloud Provisioning and Governance are domain separated. While some top-level tables are domain separated, several child tables are not domain separated. However, this does not impact how the Cloud Provisioning and Governance application works in a domain-separated context.

    Account domains and related entities

    When you create related entities for an account, the domain for the related entities is set to the account domain.

    Domain visibility for cloud administrators and users

    Manually assign users with the Cloud User Portal (sn_cmp.cloud_service_user) roles and Cloud Admin Portal (sn_cmp.cmp_root_admin) roles for each domain to the TOP/MSP/Default/Company or leaf domain. Domain administrators and users in Cloud Provisioning and Governance can only view data in the domain that they are created in, until they are assigned to the TOP domain. The Top domain represents a single common parent domain, which acts as a single parent node, for the Service Provider domains.

    Next Steps

    For more information on creating, implementing, and maintaining domain separation for Cloud Provisioning and Governance services in the instance you are setting up for your customers, see Domain separation in Cloud Provisioning and Governance - considerations for service providers.