Visibility domains and Contains domains

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Visibility domains and Contains domains

    Visibility domains and Contains domains are mechanisms in ServiceNow's domain separation that control data access for users and groups within multi-domain environments. They define what records users can see across different domains, ensuring appropriate data isolation and sharing.

    Show full answer Show less

    Visibility domains

    • Control access at the user or group level by explicitly granting a user-to-domain relationship.
    • Are associated with User [sysuser] and Group [sysusergroup] records, and groups grant their members the group's visibility domains.
    • Grant all rights to records in the visibility domain, subject to ACL rules.
    • Are not influenced by the domain picker selection; users with visibility domain access see data in that domain and its child domains regardless of picker setting.
    • Are not child domains and do not form a hierarchy.
    • Using visibility domains extensively is discouraged; contains domains offer more robust control.

    Contains domains

    • Define a many-to-many relationship between domains, independent of parent-child domain hierarchies.
    • Control what data an entire domain of users can see based on domain relationships.
    • May have child domains and allow users to see data from the selected domain and its children.
    • Are controlled by the domain picker selection, so visibility depends on the current domain context.
    • Only affect data visibility, not processes.
    • When viewing a domain record, the scope defaults to that domain and its children; the related list can be expanded with "Toggle Domain Scope."

    Practical examples

    • Contains domain example: A user whose home domain is A, and where domain A contains B and C, can see data from A, B, and C when in domain A. Switching the domain picker to B limits view to only B’s data.
    • Visibility domain example: A user in the Database domain cannot access incidents in the Network domain—demonstrating strict data separation maintained by visibility domains.

    Additional details

    • Users inherit visibility domains through group membership if visibility domains are assigned to groups.
    • Visibility domains grant access based on ACLs and are explicit; contains domains provide domain-to-domain relationships for broader data visibility.

    Visibility domains control what a specific user or group of users can see. "Contains" domains control what an entire domain of users can see.

    Visibility domains

    The "Visibility domains" element determines whether users from one domain can access records from another domain. Associate this element with User [sys_user] and Group [sys_user_group] records in related lists on those records. Groups grant their members the visibility domains of the group. When a user leaves a group, they lose the group's visibility domains. Granting users a visibility domain grants all the rights to the records in that domain based on ACL (access control list) rules.

    A visibility domain:

    • Is a user-to-domain relationship and is explicitly granted.
    • Is not a child domain.
    • Is not controlled by the selection in the domain picker. Users with access to a visibility domain always see data in that domain and its child domains.
    Note:
    Using visibility domains excessively is not recommended. Although visibility is one method to allow users to access records, it's best to use contains domains for more robust control.

    Contains domains

    Normally parent-child relationships define the domain hierarchy. A contains domain lets you relate domains on an as-needed basis, independent of parent-child relationships. However, contains domains grant visibility only to domain data. Processes remain unaffected by contains relationships.

    A contains domain:

    • Is a many-to-many, domain-to-domain relationship.
    • May have child domains. When a domain is selected, you can see the data from that domain and its children.
    • Is controlled by the selection in the domain picker.
    Note:
    When you open the domain record, the scope is set to that record's domain, so you can see only child domains. Choose Toggle Domain Scope from the menu to populate the related list.

    Contains domain example

    When a user's home domain is A, and the A domain contains domains B and C, they all become peer domains. That means the user sees data from domains A, B, and C while in their home domain A. If users change domains with the domain picker to Domain B, they see only data in Domain B. When users interact with a record from Domain B or Domain C directly, they see only data for that domain.

    Visibility domain example

    Using domain visibility, if Don Goodliffe is in the Database domain, and Bow Ruggeri is in the Network domain, and no incidents are in the global domain, then Don cannot access Bow's incidents because of data separation.

    Inheriting visibility domains based on group membership

    If you set the domain table to the Group [sys_user_group] table, users can inherit visibility domains based on their group membership.