Domain separation and Data Certification

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain separation and Data Certification

    Domain separation in Data Certification allows ServiceNow customers to logically segregate data, processes, and administration into distinct domains. This separation controls user access and visibility of certification records and tasks, ensuring data is handled appropriately for multi-tenant environments such as service providers managing multiple clients.

    Show full answer Show less

    The feature is supported at a basic level in Data Certification, enabling instance owners to assign Certification Instances (CIs) and Certification Tasks to specific domains, thus controlling access based on domain permissions.

    How Domain Separation Works in Data Certification

    Data Certification respects domain separation by ensuring that only users within the appropriate domain can view and certify the relevant CIs or records. The system’s business logic, user interface, reporting, and aggregations consider domain context at runtime.

    Instance owners are responsible for correctly assigning certification tasks and instances to domains. Changing the domain on certification records limits user visibility but does not impact certification functionality.

    Configuration and Practical Use

    • Enable the Domain Separation plugin to activate domain separation for Data Certification; no further setup is required.
    • Instance owners decide which CIs or records are domain-separated and assign tasks accordingly.
    • Users can only view certification data if they have permissions for the domain in which the data resides.
    • Though setting domains on certification tables is optional, it can be done to further control access.

    Domain-Separated Tables and Their Impacts

    • certinstance: Changing the domain does not affect functionality or task domains.
    • certtask: Changing the domain alters the viewing permissions for the task.
    • certelement: Domain changes are not recommended; these reflect the domain of the related CI or record.
    • certfilter: Changing the domain affects filtering and viewing permissions for CIs or records.

    Use Cases

    For service providers managing multiple clients, domain separation allows restricting certification visibility and access between clients by assigning domains to CIs and Certification Tasks. This ensures tenant data privacy and proper administrative control in shared environments.

    Domain separation is supported in Data Certification processing. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Basic

    • Business logic: Ensure data goes into the proper domain for the application’s service provider use cases.
    • In the application, the user interface, cache keys, reporting, rollups, aggregations, and so on, all consider domain at production run time.
    • The owner of the instance needs to be able to set up the application to function normally across multiple tenants.
    Use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the client must be able to see my response.

    How domain separation works in Data Certification

    • Data Certification has only basic domain separation. As long as the Certification Instances (CIs) or records that must be certified are correctly domain-separated and the users who must certify the CIs or records are in a domain that can view the data, Data Certification works as expected.
    • Recommendation: The instance owner must be responsible for assigning Certification Tasks and Certification Instances to the correct domain. Changing the domain for these records does not change functionality, but limits the view of the records.

    How to set up domain separation for Data Certification

    After enabling the Domain Separation plugin, there are no additional steps required to set up domain separation for Data Certification.

    • instance owners determine which CIs or records that need to be certified can be domain-separated.
    • Customers can configure a domain-separated environment by assigning tasks to a domain, but if the data is already domain-separated, then only users with the right domain permissions can view the data in a certification task.

    How tenant domains manage their own application data

    It's not necessary to set the domain on the certification tables but it can be done if the instance owner should want that. As long as the CI’s or records that must be certified are domain-separated, users with the correct domain permissions can view them.

    Domain-separated tables

    • cert_instance – Changing the domain on this table does not change any functionality, nor does it change the domains of the tasks created from the table.
    • cert_task – Changing the domain on this table changes the domain viewing permissions of the task.
    • cert_element – It is not recommended to change the domain on these records. As long as the CIs or records to be certified are already domain-separated, cert_element records will reflect that.
    • cert_filter – Changing the domain on this table changes the domain viewing and filtering of CIs or records.

    Use cases

    Instance owners who have multiple clients that certify the infrastructure they own can assign domains to those CIs and the Certification Tasks to restrict the view from one client to another.