Understanding domain separation

The separation of data, administrative tasks, processes or reporting into logically defined domains is known as domain separation. A domain can be entities, customers, or sub-organizations. By default, members of one domain only see the data contained within their domain or the child domains that are lower in the domain hierarchy.

Domain separation is best for those customers who:

  • Want to customize business process definitions and user interfaces for each domain
  • Prefer to maintain some global processes and global reporting in a single instance
  • May have minor or moderate process differences among customers or sub-organizations
  • Need to enforce data segregation between domains
    Note: If you require complete and total separation of all system properties and do not require global reporting or global processes, then consider establishing separate instances.
Warning: Before activating domain separation, consult your ServiceNow representative to verify that it is suitable for your environment. Domain separation adds a level of administration overhead. Although it can be disabled, it cannot be removed from an instance.

Domain separation hierarchy

Members of a domain only see the data contained within their domain or the child domains that are lower in the domain hierarchy. By default, all users and all records are members of the global domain unless an administrator assigns them to a particular domain. Once you assign a user or a record to a domain, the instance compares the user's domain to the record's domain to determine whether the user can view the record.

Users in the global domain can see all records, regardless of the record's domain settings. If a user is a member of another domain, then there is no single visibility setting that allows users to see across domains or allows users to see records at a higher level in the hierarchy.

Note: Guest users must be part of the global domain.

In general, data defined at a higher level in the domain hierarchy is not visible at lower levels in the hierarchy. With the exception of form sections and options in a choice list, which behave like policies; when defined at a higher level in the hierarchy, these records are visible in child domains.

Figure 1. Domain hierarchy example
graphic depicts example of Database domain as the parent with children domains of Database Atlanta, Database San Diego, and Database New York. users are assigned to the parent domain with access to the children domains. Children domain users only have access to their domain.

In this domain hierarchy:

  • Bow Ruggeri can see any records in the Database Atlanta or the global domain.
  • Don Goodliffe can see any records in the Database San Diego or the global domain.
  • David Loo can see any records in the NY DB or the global domain.
  • Fred Luddy, ITIL User, Beth Anglin can see any records in the Database, Database Atlanta, Database San Diego, NY DB, or the global domain.