Domain separation and Knowledge Management

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain separation and Knowledge Management

    Domain separation in Knowledge Management allows ServiceNow customers to logically partition data, processes, and administrative tasks into distinct domains. This separation controls user access and visibility of knowledge bases, articles, and related content based on their domain affiliation. It supports multiple tenants or organizational units within a single instance, ensuring data privacy and tailored access.

    Show full answer Show less

    How Domain Separation Works in Knowledge Management

    • Data Separation: Knowledge bases, articles, categories, templates, feedback, and related entities are domain-separated, meaning data in one domain is not visible in another. For example, articles created with templates outside a domain may not be visible within that domain.
    • Requester Access: Users can search, view, comment, and rate articles in their own domain, any child domain, and the global domain if permissions allow. Global domain users have broad access to all domains’ articles when granted read permissions.
    • Fulfiller Access: Authors can create and edit articles within their domain, child domains, and the global domain if granted contribute access. Articles are saved in the author’s current domain. Editing global articles from other domains requires enabling a specific system property or switching to the global domain.
    • Hierarchical Domain Access: Users in parent domains can access content in child domains and global domains if permissions are set, enabling flexible content management across organizational units.

    Practical Use Cases

    • Admins can enforce domain-specific rules, such as requiring comments on record closure for one tenant but not others.
    • Users in different domains can interact with knowledge articles according to their domain and access rights, supporting multi-tenant environments.
    • Authors can manage articles across domains they have access to, maintaining domain integrity and proper versioning.

    Known Limitations

    • Certain AQI-related tables (checklists and checklist questions) are not domain separated, which may affect data visibility and order.
    • User comments are stored in the article’s domain rather than the commenter’s domain, which may impact comment visibility in multi-domain setups.

    Why This Matters

    For ServiceNow customers managing multiple tenants or business units, domain separation in Knowledge Management ensures strict data segregation, tailored access control, and streamlined administration. It enables efficient multi-tenant knowledge sharing while maintaining security and compliance.

    Domain separation is supported in Knowledge Management. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Standard

    • Includes all aspects of Basic level support.
    • Application properties are domain-aware as needed.
    • Business logic: The service provider (SP) creates or modifies processes per customer. The use cases reflect proper use of the application by multiple SP customers in a single instance.
    • The instance owner must configure the minimum viable product (MVP) business logic and data parameters per tenant as expected for the specific application.

    Sample use case: An Admin must be able to make comments required when a record closes for one tenant, but not for another.

    For more information on support levels, see Application support for domain separation.

    Overview

    Domain separation works differently at different access levels of an application. In Knowledge Management, data, requester, and fulfiller access to knowledge bases are domain separated.

    How domain separation works in Knowledge Management

    In Knowledge Management, the following rules apply:

    Data: At the data level of domain separation, data visibility is separated from one domain to another. Knowledge bases, user criteria, articles, categories, article feedback, article versions, article templates, and external sources are domain separated in the base system.
    Note:
    The data in one domain cannot be seen in any other domain. For example, if you create a Knowledge Management article in a domain A using an article template which is not in domain A, the article will not be visible in domain A. Similarly, if you create a Knowledge Management article in the global domain using a template that is not in global, the article might not be visible in all the domains.

    Requester: Requester activities are supported within tenant domains. Users can search; view; comment; and rate articles of their domain, any child domain, and global domains, if feedback is enabled and the knowledge base settings grant them read access to articles.

    • Users in the global domain can access articles in all the domains if read access is granted at knowledge base and/or article level.
    • Users in the parent domain can access articles in that domain, global, and all its child domains if read access is granted at knowledge base and/or article level.
    • Users in the child domain can access articles in that domain and the global domain if read access is granted at knowledge base and/or article level.

    Fulfiller: The application can be used by the Fulfiller within the tenant domains as a tenant domain-owned application. Users are allowed to author articles in knowledge bases of their domain, any child domain, and the global domain if the knowledge base has user criteria set up to grant contribute access.

    • Articles are automatically saved to the user’s current domain when the article is created.

    • If the glide.knowman.allow_edit_global_articles system property is enabled, users from a domain other than the global domain can check out and edit global articles. Otherwise, system administrators and users from a domain other than the global domain cannot check out global articles and are shown a warning message to that effect. Depending on their access, users can change their domain to the global domain to check out and edit the global articles.
    • Domains of versioned articles will be maintained as per the latest article version's domain. This includes updating the domain for kb_version, kb_knowledge, kb_feedback, and sys_attachment tables.
    • If domains contain another domain: If Domain A contains Domain B, users with access to Domain A can author articles in Domain B by toggling the domain scope. To learn more about toggling domain scope, see Visibility domains and Contains domains.

    See Managing access to knowledge bases and knowledge articles to learn how to control contribute and read access to knowledge bases and knowledge articles.

    Use cases

    This image demonstrates a basic domain hierarchy that is available in the base system.

    Domain Separation Use Case

    Requester use cases

    User domain Knowledge base domain Read user criteria domain Article domain Result
    Global Global Global Global Can view, comment, rate articles.
    Parent domain (TOP) Parent domain (TOP) Parent domain (TOP)
    Child domain (TOP/ACME Child domain (TOP/ACME Child domain (TOP/ACME
    MSP domain (TOP/MSP) MSP domain (TOP/MSP) MSP domain (TOP/MSP)
    Parent domain (TOP) Global Global Global
    Parent domain (TOP) Parent domain (TOP) Parent domain (TOP)
    Child domain (TOP/ACME Child domain (TOP/ACME Child domain (TOP/ACME
    MSP domain (TOP/MSP) MSP domain (TOP/MSP) MSP domain (TOP/MSP)
    Child domain (TOP/ACME) Global Global Global Can view, comment, rate articles.
    Parent domain (TOP) Parent domain (TOP) Parent domain (TOP)
    Child domain (TOP/ACME Child domain (TOP/ACME Child domain (TOP/ACME
    MSP domain (TOP/MSP) MSP domain (TOP/MSP) MSP domain (TOP/MSP)

    Fulfiller use cases

    User domain Knowledge base domain Contribute user criteria domain Article domain Result
    Global Global Global Global Can author, update, view, comment, rate articles.
    Parent domain (TOP) Parent domain (TOP) Parent domain (TOP)
    Child domain (TOP/ACME Child domain (TOP/ACME Child domain (TOP/ACME
    MSP domain (TOP/MSP) MSP domain (TOP/MSP) MSP domain (TOP/MSP)
    Parent domain (TOP) Global Global Global
    Parent domain (TOP) Parent domain (TOP) Parent domain (TOP)
    Child domain (TOP/ACME Child domain (TOP/ACME Child domain (TOP/ACME
    MSP domain (TOP/MSP) MSP domain (TOP/MSP) MSP domain (TOP/MSP)
    Child domain (TOP/ACME) Global Global Global Can author, update, view, comment, rate articles.
    Parent domain (TOP) Parent domain (TOP) Parent domain (TOP)
    Child domain (TOP/ACME Child domain (TOP/ACME Child domain (TOP/ACME
    MSP domain (TOP/MSP) MSP domain (TOP/MSP) MSP domain (TOP/MSP)

    Known Issues

    • The following AQI tables are not domain separated:
      • AQI Checklist [kb_quality_checklist]
      • Checklist Question [kb_checklist_question]
      • Article Checklist Answer [kb_article_checklist_answer]
        Note:
        The Article Checklist Answer table does not contain the Order field. The application shows the list in a random order.
    • Comment provided by a user on an article is stored in article's domain instead of user domain.