Domain separation and Health Log Analytics
Summarize
Summary of Domain separation and Health Log Analytics
Domain separation in Health Log Analytics allows ServiceNow customers to logically segregate data, processes, and administrative tasks into distinct domains. This ensures users only access data within their assigned domain, supporting multi-tenant environments such as Managed Service Providers (MSPs) or organizations with multiple tenants. Domain separation is integrated throughout the Health Log Analytics application, affecting data visibility, alerts, reporting, and system behavior.
Show less
Key Features
- Run-time domain separation: Data and user interface elements are separated by domain at run time, ensuring isolation across tenants.
- Scoped visibility and actions: Users see and interact only with data and alerts within their domain or child domains. Remediation actions are limited to the domain scope.
- Domain-specific data inputs: Data inputs must be configured with domain context, and alerts are generated only on logs within those inputs.
- Transparent management: Health Log Analytics manages domain-specific settings and custom operations independently, while system-level properties apply globally.
- Plugin requirement: The Health Log Analytics Domain Separation plugin (version 21.0.1 or later) must be installed and activated before configuring domain-separated data inputs.
Practical Considerations for Customers
- Setup responsibility: Instance owners must configure domains and map data inputs accordingly to enforce separation.
- Performance limits: The server supports up to 60 kilobytes of events per second (EPS) across all domains without guaranteed SLA or fairness, which may impact latency if one domain streams excessive data.
- Use cases: Ideal for MSPs serving multiple customers from a single instance, organizations isolating sensitive tenant data, or tenant operators managing domain-scoped logs and alerts.
- Domain assignment: By default, users and records belong to the parent domain unless explicitly assigned otherwise.
What to Expect
By implementing domain separation, ServiceNow customers can securely isolate log data and related analytics per tenant or organizational unit. This enhances data privacy and operational control in multi-tenant scenarios while maintaining centralized management on a shared Health Log Analytics server. However, customers should be aware of potential performance implications and plan domain configurations and data input mappings carefully.
Domain separation is supported for Health Log Analytics. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.
Support level: Basic
- Business logic: Ensure that data goes into the proper domain for the application’s service provider use cases.
- The application supports domain separation at run time. The domain separation includes separation from the user interface, cache keys, reporting, rollups, and aggregations.
- The owner of the instance must set up the application to function across multiple tenants.
Sample use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the customer must be able to see the SP's response.
For more information on support levels, see Application support for domain separation.
Domain separation and Health Log Analytics overview
Domain separation is present in all aspects of the Health Log Analytics application. Users belonging to a specific domain see only the data existing in their own domain.
How domain separation works in Health Log Analytics
When data is domain separated using a single Health Log Analytics server, each Managed Service Provider (MSP) can see the log data only in its own domain or the child domains below it. Users can view alerts that Health Log Analytics generates only in their own domain. Actions to remediate the alerts apply only for the scope of that domain. By default, all users and records are set to the parent domain unless the admin assigns them to a specific domain.
The Health Log Analytics Domain Separation plugin must be installed before you configure your data inputs in the Health Log Analytics application. There is no setup procedure for the plugin. Install the plugin with the Health Log Analytics application Version 21.0.1 - September 2021, and then activate it. Make sure that you map your data into logical silos and configure rules and entities.
You define the domain-separated environment when you configure your data inputs. Users can use data inputs that are only available in their own domain. Health Log Analytics creates alerts only for logs that arrive in those data inputs. All relevant records and all data processing in the Health Log Analytics program flow reside in the same domain as the data input. A data input's domain name is shown in the Domain column displayed in the tables in your instance.
Using domain separation in your instance is transparent to Health Log Analytics. The application manages all aspects of the data, such as system settings and custom operations, separately. When a property is changed, the new value affects new sources only in the specific domain. System properties affecting the server are common to all domains because all domains use the Health Log Analytics server.
Use cases
- An MSP wants to provide the Health Log Analytics application to multiple customers in a similar environment with a single instance.
- An organization with many tenants wants to isolate its sensitive data, such as security logs.
- An administrator of a tenant organization wants to define a data input only for their own domain.
- An operator in a tenant organization wants to view logs only in their own domain.
- An operator in a tenant organization wants to provide feedback for alerts only in their own domain.
- An MSP Admin wants to view log data from all of their organization's tenant domains.