Domain separation and Data Certification

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain separation and Data Certification

    Domain separation in Data Certification enables ServiceNow customers to logically segment data, processes, and administrative tasks into distinct domains. This separation controls user access and visibility based on domain permissions, ensuring that data and certification tasks are properly isolated across multiple tenants or clients within the same instance. It is designed to support service providers managing multiple tenants, allowing each to certify their own data securely.

    Show full answer Show less

    Key Features

    • Basic support for domain separation: Data Certification respects domain boundaries when Certification Instances (CIs) or records are domain-separated and users belong to the corresponding domain.
    • User access control: Only users with the appropriate domain permissions can view and certify data within their domain.
    • No additional configuration after enabling Domain Separation plugin: Once enabled, domain separation applies to Data Certification without further setup.
    • Domain assignment on key tables:
      • certtask: Changing the domain affects viewing permissions of certification tasks.
      • certfilter: Domain changes affect filtering and viewing of CIs or records.
      • certinstance: Domain changes do not impact functionality or task domains.
      • certelement: Domain changes are not recommended; these records inherit domain from CIs or records.

    Practical Guidance for Customers

    • Instance owners must assign Certification Tasks and Instances to the correct domains to ensure proper data separation and access control.
    • Certifying multiple clients or tenants is supported by assigning domains to CIs and certification tasks to restrict visibility between clients.
    • While the certification tables do not require domain settings, domain separation on the underlying CIs or records is essential for enforcing security and data isolation.
    • Changing domains on certain certification tables affects user access and filtering but does not impact overall functionality.

    Why This Matters

    For ServiceNow customers operating multi-tenant or multi-client environments, domain separation within Data Certification ensures that sensitive data and certification processes remain isolated and secure. This capability prevents unauthorized data access, supports compliance requirements, and streamlines certification management across distinct organizational units or clients.

    Domain separation is supported in Data Certification processing. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Basic

    • Business logic: Ensure data goes into the proper domain for the application’s service provider use cases.
    • In the application, the user interface, cache keys, reporting, rollups, aggregations, and so on, all consider domain at production run time.
    • The owner of the instance needs to be able to set up the application to function normally across multiple tenants.
    Use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the client must be able to see my response.

    How domain separation works in Data Certification

    • Data Certification has only basic domain separation. As long as the Certification Instances (CIs) or records that must be certified are correctly domain-separated and the users who must certify the CIs or records are in a domain that can view the data, Data Certification works as expected.
    • Recommendation: The instance owner must be responsible for assigning Certification Tasks and Certification Instances to the correct domain. Changing the domain for these records does not change functionality, but limits the view of the records.

    How to set up domain separation for Data Certification

    After enabling the Domain Separation plugin, there are no additional steps required to set up domain separation for Data Certification.

    • instance owners determine which CIs or records that need to be certified can be domain-separated.
    • Customers can configure a domain-separated environment by assigning tasks to a domain, but if the data is already domain-separated, then only users with the right domain permissions can view the data in a certification task.

    How tenant domains manage their own application data

    It's not necessary to set the domain on the certification tables but it can be done if the instance owner should want that. As long as the CI’s or records that must be certified are domain-separated, users with the correct domain permissions can view them.

    Domain-separated tables

    • cert_instance – Changing the domain on this table does not change any functionality, nor does it change the domains of the tasks created from the table.
    • cert_task – Changing the domain on this table changes the domain viewing permissions of the task.
    • cert_element – It is not recommended to change the domain on these records. As long as the CIs or records to be certified are already domain-separated, cert_element records will reflect that.
    • cert_filter – Changing the domain on this table changes the domain viewing and filtering of CIs or records.

    Use cases

    Instance owners who have multiple clients that certify the infrastructure they own can assign domains to those CIs and the Certification Tasks to restrict the view from one client to another.