Hermes Messaging Service domain separation

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Hermes Messaging Service domain separation

    Hermes Messaging Service supports domain separation, allowing ServiceNow customers to logically separate data, processes, and administrative tasks into distinct domains. This enables controlled access, ensuring users see and interact only with data relevant to their specific domain. Domain separation applies at runtime and affects the user interface, caching, reporting, rollups, and aggregations.

    Show full answer Show less

    In a domain-separated instance, namespaces configure which domains can access specific Kafka topics within the Hermes Kafka cluster. Topics are assigned to domains through their namespace, and users can only interact with topics and namespaces permitted by domain visibility and Access Control Lists (ACLs). Topics created in the Default Namespace belong to the global domain.

    Key Features

    • Domain-based access control: Users and administrators can restrict visibility and interaction with Kafka topics and namespaces based on assigned domains.
    • Domain-separated tables: The Kafka Topics [syskafkatopic] and Kafka Namespaces [syskafkanamespace] tables support domain separation and are further secured by ACLs.
    • Role-based namespace assignment: Users with the kafkanamespaceadmin role can assign namespaces to specific ServiceNow domains, enforcing domain boundaries.
    • Multi-tenant setup: Instance owners configure the application to operate across multiple tenants, supporting scenarios such as service providers responding to tenant customers while maintaining data separation.
    • Required plugin: The Domain Support - Domain Extensions Installer plugin (com.glide.domain.mspextensions.installer) must be activated to enable domain separation features.

    Practical Impact

    For ServiceNow customers using Hermes Messaging Service, domain separation ensures that messaging data and processes are isolated per tenant or business unit, maintaining data privacy and security. It supports multi-tenant environments by enabling controlled access to Kafka topics and namespaces, which is critical for service providers managing communications for multiple customers. Proper configuration and role assignment allow seamless yet secure messaging operations across domains.

    Domain separation is supported for the Hermes Messaging Service. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Basic

    • Business logic: Ensure that data goes into the proper domain for the application’s service provider use cases.
    • The application supports domain separation at run time. The domain separation includes separation from the user interface, cache keys, reporting, rollups, and aggregations.
    • The owner of the instance must set up the application to function across multiple tenants.

    Sample use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the customer must be able to see the SP's response.

    For more information on support levels, see Application support for domain separation.

    Overview

    On a domain-separated instance, you can use namespaces to configure which domains can access specific topics in the Hermes Kafka cluster. You assign topics to ServiceNow domains using the topic record's namespace.

    How domain separation works with the Hermes Messaging Service

    On a domain-separated instance, a user with the kafka_namespace_admin role can assign namespaces to specific ServiceNow domains. When the Kafka namespace admin assigns a namespace to a particular domain, all the topics created in that namespace will have the same domain. Users can only see and interact with the topics and namespaces they have access to, based on domain visibility and access control lists (ACLs). Topics created with the Default Namespace are created in the global domain.

    Both the Kafka Topics [sys_kafka_topic] table and the Kafka Namespaces [sys_kafka_namespace] table are domain-separated tables. Domain separation rules filter which records are available in each domain. In addition to being domain-separated, these tables can also be protected with ACLs, just like any other table.

    All domain support features require the Domain Support - Domain Extensions Installer (com.glide.domain.msp_extensions.installer) plugin.