Visibility domains and Contains domains

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Visibility domains and Contains domains

    This content explains the differences betweenVisibility domainsandContains domainswithin ServiceNow’s domain separation framework. These mechanisms control user access to data across different domains, ensuring proper data segregation and visibility according to organizational needs.

    Show full answer Show less

    Visibility domains

    • Visibility domains define whether specific users or groups can access records from other domains.
    • They are explicitly granted user-to-domain relationships and are associated with User and Group records.
    • Groups grant their members the visibility domains assigned to the group, and members lose access when removed from the group.
    • Visibility domains grant all access rights to records in that domain as governed by ACL rules.
    • They are not hierarchical (no child domains) and do not depend on the domain picker selection.
    • Users with access to a visibility domain also see data in that domain’s child domains.
    • Excessive use of visibility domains is discouraged; contains domains are recommended for more robust control.

    Contains domains

    • Contains domains create many-to-many relationships between domains, independent of parent-child hierarchy.
    • They grant visibility only to domain data, without affecting processes.
    • Users can see data from a selected domain and its child domains when that domain is selected in the domain picker.
    • The domain picker controls the scope of data visibility for contains domains.
    • When working within a domain record, only child domains are shown unless "Toggle Domain Scope" is used to reveal related domains.

    Practical examples

    • Contains domain example: If a user’s home domain (A) contains domains B and C, the user can view data in A, B, and C while in domain A. Changing the domain picker to B restricts visibility to domain B data only.
    • Visibility domain example: If two users belong to different visibility domains (e.g., Database and Network), they cannot see each other’s incidents, maintaining data separation.

    Additional notes

    • Users inherit visibility domains from groups if visibility domains are assigned to groups.
    • Visibility domains provide direct user-to-domain access control, while contains domains manage broader domain relationships and visibility.
    • Choosing between visibility and contains domains affects how data visibility and control are structured across your ServiceNow instance.

    Visibility domains control what a specific user or group of users can see. "Contains" domains control what an entire domain of users can see.

    Visibility domains

    The "Visibility domains" element determines whether users from one domain can access records from another domain. Associate this element with User [sys_user] and Group [sys_user_group] records in related lists on those records. Groups grant their members the visibility domains of the group. When a user leaves a group, they lose the group's visibility domains. Granting users a visibility domain grants all the rights to the records in that domain based on ACL (access control list) rules.

    A visibility domain:

    • Is a user-to-domain relationship and is explicitly granted.
    • Is not a child domain.
    • Is not controlled by the selection in the domain picker. Users with access to a visibility domain always see data in that domain and its child domains.
    Note:
    Using visibility domains excessively is not recommended. Although visibility is one method to allow users to access records, it's best to use contains domains for more robust control.

    Contains domains

    Normally parent-child relationships define the domain hierarchy. A contains domain lets you relate domains on an as-needed basis, independent of parent-child relationships. However, contains domains grant visibility only to domain data. Processes remain unaffected by contains relationships.

    A contains domain:

    • Is a many-to-many, domain-to-domain relationship.
    • May have child domains. When a domain is selected, you can see the data from that domain and its children.
    • Is controlled by the selection in the domain picker.
    Note:
    When you open the domain record, the scope is set to that record's domain, so you can see only child domains. Choose Toggle Domain Scope from the menu to populate the related list.

    Contains domain example

    When a user's home domain is A, and the A domain contains domains B and C, they all become peer domains. That means the user sees data from domains A, B, and C while in their home domain A. If users change domains with the domain picker to Domain B, they see only data in Domain B. When users interact with a record from Domain B or Domain C directly, they see only data for that domain.

    Visibility domain example

    Using domain visibility, if Don Goodliffe is in the Database domain, and Bow Ruggeri is in the Network domain, and no incidents are in the global domain, then Don cannot access Bow's incidents because of data separation.

    Inheriting visibility domains based on group membership

    If you set the domain table to the Group [sys_user_group] table, users can inherit visibility domains based on their group membership.