A password reset process that you define in any domain is isolated from a process that
you create in any other domain.
Overview of the Password Reset
Each password reset process follows these steps:
- The end user asks to reset the password.
- The user provides identifying information (typically username or email address).
- The user verifies the identity — proves that they are who they say they are (typically
by answering questions or submitting a code number that was delivered securely).
- The instance connects to the credential store to confirm the user credentials.
- The instance generates the new password and displays it to the user.
Elements of a password reset process
Domain separation for Password Reset
is applied at the process level. The admin configures the following elements to define a
password reset process: A connection to a credential store, user groups that can use the
process, method of identification, and verifications to use during the process.
- A connection to the credential store where user credentials (like username/password) are
securely stored. Each connection inherits the domain setting from a template called a
connection type. Each connection type is tied to a domain (the connection type record has
a domain field). There are uniqueness constraints on connection names within a
- One or more user groups on the ServiceNow instance that can use the password reset
process. User accounts are members of one or more domains — they use the standard ServiceNow domain separation. When a
user enrolls to use one of the password reset processes that is configured for the
organization, the user is allowed to choose only from the processes in the user’s
- The identification — the method that the end user employs to claim identity for the
public password reset or password change process. Each identification inherits the domain
setting from a template called an identification type. Each identification type is tied to
a domain (the identification type record has a domain field). There are uniqueness
constraints on identification names within a domain.
- One or more verifications — methods to verify the identity of the person who is
attempting to reset the password. Each verification inherits the domain setting from a
template called a verification type. Each verification type is tied to a domain (the
verification type record has a domain field). There are uniqueness constraints on
verification names within a domain.
- All Password Reset tables have a domain column.
- Process tables include a sys-overrides column on business rules, UI actions, and so
- The Password Reset application is
built using Orchestration. Orchestration does not fully support
Self-service and Service desk-assisted processes
In addition to configuring the connections, user groups, identifications, and verifications
that are used in each process, the admin specifies one of the following operational methods
for the organization:
- Self-service process: End users reset passwords over the Internet using a browser on any
supported interface, including mobile devices. The end user can select from any configured
process in the end user’s domain (or child domain of an end user’s domain).
- Service desk-assisted process: End users do not reset passwords. An end user requests
the assistance of a service desk agent, over the phone or in person. The agent processes
the request. Each service desk agent has the Password Reset Admin service desk role.
The “reset request” form that the agent works in presents a User
field and a Process field. On the form, the agent can view all
processes in the end user’s domain, even if the agent is not a member of one or more of
Password Change process
The Password Change application extends the Password Reset application by letting admins
define how users change their passwords. A service desk-assisted process is not supported.
An admin must publish the URL for the self-service password change form.
The Password Change application enables an end user to change a password over the Internet
using a browser on any supported interface, including mobile devices. The end user can
select from any configured process in the end user’s domain (or child domain of an end
A password change process uses the same elements as a password reset process (connections,
user groups, identifications, and verifications), with the same domain-separation