Domain separation and Document Management

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain separation and Document Management

    Domain separation in Document Management allows ServiceNow customers to logically segregate data, processes, and administrative tasks into distinct domains, enhancing security and data access control. This feature ensures that users only see and manage documents within their assigned domain unless they belong to the global domain, which has broader access privileges.

    Show full answer Show less

    How Domain Separation Works

    • Users can view and manage documents only within their own domain.
    • Users in the global domain can access documents across all domains if granted read access.
    • When documents, document lists, or entries are created, they inherit the creator's domain.
    • Changing a document’s owner updates the domain information for related versions, references, and permissions to align with the parent document.

    Key Use Cases

    • Document Access: Documents are editable and accessible only within their domain, preventing cross-domain access unless explicitly allowed.
    • Versions, References, and Permissions: Users can access these only if they have access to the parent document. Inherited access can grant permissions based on domain alignment.
    • Lists and List Entries: These are domain-specific and accessible primarily by users with document admin rights within that domain.

    Support and Configuration

    This feature supports standard domain separation requirements, with application properties and business logic tailored per tenant. Service providers can configure minimum viable product (MVP) business logic and data parameters to suit each customer's needs within a single instance.

    Known Limitations

    If a document owner changes to a user in a different domain who lacks access to referenced records, some references may not be visible to the new owner. This can impact visibility of linked data in cross-domain scenarios.

    Practical Implications for ServiceNow Customers

    • Enables multi-tenant environments where data privacy and access control are critical.
    • Supports customized access rules per tenant, such as requiring comments on record closure for some tenants but not others.
    • Requires careful configuration of user roles and domain assignments to ensure proper access and visibility.

    Domain separation is supported for Document Management. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Standard

    • Includes all aspects of Basic level support.
    • Application properties are domain-aware as needed.
    • Business logic: The service provider (SP) creates or modifies processes per customer. The use cases reflect proper use of the application by multiple SP customers in a single instance.
    • The instance owner must configure the minimum viable product (MVP) business logic and data parameters per tenant as expected for the specific application.

    Sample use case: An Admin must be able to make comments required when a record closes for one tenant, but not for another.

    For more information on support levels, see Application support for domain separation.

    Overview

    Document Management provides an access level approach to controlling the document access and providing security to the users.

    How domain separation works in Document Management

    When domains are separated in Document Management, users can see and manage documents and give access privileges only in their own (tenant) domain.

    A user in the parent domain has access to documents in the child domain.

    When a user creates a document, document list or document entries, then their domain is the same as the user's domain.

    When the owner of the document changes then the related versions, references, and permission record's domain is updated with the domain of the parent document.

    Use cases

    • Documents

      Documents can be edited or accessed only within their domain. Access to a document can become void if a user belongs to a different domain from the document's domain.

      • Users in the global domain can access documents in all domains when the read access is granted to the user.
      • Users in a non-global domain can access documents only in the same domain and global domain when document access is granted to the user.
    • Versions, References and Permissions table
      • Users can access the versions, references, and, permissions table records only if they have access to the parent document.
      • If a user has access to the target record in the references table, access to the parent document is granted only if inherited access is enabled for the document and the user is in the same domain as the parent document.
    • List and List Entries

      List and List Entries have domain pointing to the current user domain and can be accessed by the users with document admin rights.

    Known issues

    If a document contains references and if the owner of the document is changed and does not have access to the target record of one of the references, then the reference record might not be visible to the new owner.

    For example, if the document owner, User A (Domain: D1) is changed to User B (Domain: D2) and User B does not have access to the target record of the reference table, User B might not be able to see the reference record.