Domain separation administration

Administrators can view information about domain separation, identify potential issues, and change configuration settings.

Manually manage the domain for particular records

By default, the system automatically assigns a domain based on the user's company record. In some cases, however, domain administrators want to manually manage which domain a particular record belongs to.

Before you begin

Role required: admin

About this task

The Managed domain field allows domain administrators to manually select a domain for the user, group, department, location, or CI record, rather than using the domain assigned automatically from the company record. The Managed domain field is available on these record types.

  • User records
  • Group records
  • Department records
  • Location records
  • CI records

Procedure

  1. Navigate to the record you want to manually manage.
  2. Select the Managed domain check box.
  3. From the Domain field, select the domain for the record.
  4. Click Update.
    Changing the managed domain

    Clearing the Managed domain check box hides Domain field and the record uses the domain value from the record's company.

Activate or deactivate a domain

When you activate or deactivate a domain, the activation status cascades to companies within the domain.

Before you begin

Role required: admin

About this task

When you activate a company record, domain separation automatically activates the company's associated domain. For example, if you activate the ACME company, then you also activate the TOP/ACME domain.

Procedure

  1. Navigate to the domain record.
  2. Clear or select the Active check box.
  3. Click Update.
    Warning: Do not delete domains. Deactivate domains that you no longer need instead of deleting them.

Add a domain field to a table

Administrators can domain separate custom tables by adding a sys_domain field to it.

Before you begin

Role required: admin

Procedure

  1. Navigate to the table's list view. For example, type <table name>.list in the navigation filter.
  2. Right-click the list header and select Configure > List Layout.
  3. In the Create new field section, enter sys_domain as the Name and Domain ID as the Type.
  4. Click Add.
  5. Click Save.
    Note: Any other means of creating a field adds a u_ prefix to the column name. For domain separation to work the column name must be sys_domain without any u_ prefix.

Use a custom table for the domain table

You can use a custom table as the domain table if the custom table contains a reference field column called parent that refers back to the custom table.

Before you begin

Role required: admin

Procedure

  1. Create a custom table to store the domain information. For example:
    Table Column name Type Reference
    u_organization u_name string
    u_organization u_description string
    u_organization u_location reference cmn_location
  2. Create a reference field within the custom table that refers back to the custom table. For example:
    Table Column name Type Reference
    u_organization parent reference u_organization
    Create Parent field
  3. Select the custom the table from the list of tables in the New Domain Table list.
    Select custom table
  4. Click Reset Data to make these changes:
      • The domain table changes to the table you selected.
      • All existing records with a domain value are reset to the global domain.
      • All existing domain overrides are deleted.
      • All existing domain contains definitions are deleted.
      • All existing domain visibility settings, both user and group, are deleted.
  5. Click Ignore Data to make these changes:
      • The domain table changes to the table you selected.
      • All domain visibility settings, both user and group, are deleted.
      • All existing records with a domain value refer to invalid domains until you migrate the domain data.
      • All existing domain overrides refer to invalid domains until you migrate the domain data.
      • All existing domain contains definitions refer to invalid domains until you migrate the domain data.
      Note: Visibility settings are deleted whenever the domain table reference changes.

      When you select the ignore option, no existing domain-separated tables are moved to the global domain, and it is your responsibility to migrate the domain records. Until the migration is complete, the domain validator shows warnings about inconsistent domain data. If necessary, you can manually reset all domain-separated tables to the global domain.

Create contains relationships between domains

Creating a contains relationship between domains changes the domain hierarchy.

Before you begin

Role required: admin

About this task

Domains in a contains relationship inherit the visibility settings of the containing domain. The containing domain allows users to see data in the contained domain as well as any of its children. Processes are unaffected by a contains relationship.

Procedure

  1. Navigate to the domain table.
  2. Select the domain record that is the parent (container) domain of the new contains relationship.
  3. Toggle the domain scope to switch between the session scope and record scope, if necessary.
  4. From the Contains Domains related list, click Edit.
  5. Select the domain records that is the child (contained) domains of the contains relationship. Only child domains appear by default when the domain picker is set to Global. Toggle the domain scope to see all domains in slushbucket.
  6. Click Save, and then click Update.
    Contains Domains

Select a primary domain

The primary domain indicates the top-level domain in the domain map.

Before you begin

Role required: admin

About this task

The primary domain cannot have a parent domain and must have at least one child domain. There can only be one primary domain at a time. If you select another domain as the primary domain, it overrides the previous primary domain.

Procedure

  1. Navigate to Domain Admin > Domains.
  2. Select the domain you want to be the primary domain. For example, TOP.
  3. Select the Primary check box.
  4. Click Update.
    Selecting a primary domain

Create a domain-specific choice list

Administrators can configure choice lists to contain entries specific to a particular domain.

Before you begin

Role required: admin

Procedure

  1. Select the domain from domain picker where the choice should be added.
  2. Right-click the field and select Configure Choices.
  3. Update or add choices.
  4. Push changes through the normal change process such as update sets.
    Note: Administrators should ensure that choices are unique across domains to prevent administrative confusion in the global domain.

    If an administrator adds a new choice from the global domain, then users from domains lower in the hierarchy see the new choice at the end of their current choice lists. If the new choice is not active at the global level, then it is available to the domain users via Configure Choices but does not show as an active choice.

Validate domain hierarchy

By default, the instance validates the domain hierarchy every time you change the domain table, change the query method, or reset the records to the global domain.

Before you begin

Role required: admin

Domain hierarchy validation might take an excessive amount of time if there are a large amount of records in a table. To speed up domain separation,

About this task

The Domain Progress Workers list displays any currently running domain tasks. Use the following procedure to manually start the validation process.
Note: Domain paths are used for all customers on Helsinki and later. Domain numbering is no longer used. ServiceNow support can assist in the upgrade. When you create a domain or update the parent of a domain, the system runs a scheduled job to recalculate domain paths. The result of the scheduled job, use the following URL: https://<your-instance-name>/syslog_domain_list.do

Procedure

  1. Navigate to Domain Admin > Configuration.
  2. From Domain Validation, click More > Validate domains hierarchy.
  3. After the validation process completes, review the Domain Alerts section for any renumbering or path conversion errors.
    The domain validation process automatically fixes some validation errors and provides information about errors that cannot be automatically fixed.
    UI domain validation errors

What to do next

If domain hierarchy validation takes an excessive amount of time due to a large number of records in a table, you can exclude these tables from the validation process. To do so,
  1. Add this property to the System Properties [sys_properties] table: glide.sys.domain.validation_skip_threshold.
  2. Set the integer value to the maximum number of records that a table can have for it to be validated. Tables with a larger number of records than this value are not validated. The default value is 5000000.

You can also view the domain log by click a domain log record.

Figure 1. UI domain log
Domain log

View domain relationships

The domain map offers domain administrators a read-only representation of the active domains on the instance and how they relate to each other.

Before you begin

Role required: admin

About this task

All domain maps must have one domain set as the primary domain. In addition, each domain in the domain map must meet these criteria:

  • The Parent field must be filled in (the primary domain is the only exception to this).
  • The Active check box must be selected.

The domain map does not draw domain relationships for domains that fail to meet the mapping criteria.

Procedure

  1. Navigate to Domain Admin > Domain Map.
  2. Click the plus (+) or minus (-) icons on the domain headers to show or hide sub domains.

View a list of tables using domain separation

You can view a list of all domain-separated tables from the Configuration module.

Before you begin

Role required: admin

Procedure

  1. Navigate to Domain Admin > Configuration.
  2. From Domain Validation, click More > Show tables with Domain field.

Exempt roles from the current record domain

By default, all roles use the domain of the current record when Use the domain of the record being viewed instead of the user's own property is true.

Before you begin

Role required: admin

About this task

You can provide a list of roles that ignore this property and always use the user's domain rather than the record's domain. You may want certain roles such as administrators to always work from their own domain rather than use the domain of the record they are viewing.

Procedure

  1. Navigate to Domain Admin > Configuration.
  2. For List of roles (comma-separated) that will not trigger the automatic change of domain to the domain of the record that is being viewed, enter a comma-separated list of roles that ignore automatic domain change behaviors.
  3. Click Save.

Reset all records to the global domain

You can manually reset all domain-separated records to the global domain at any time.

Before you begin

Role required: admin

About this task

Warning: The only way to recover resetting records to the global domain is to restore from a data back-up.

Procedure

  1. Navigate to Domain Admin > Configuration.
  2. From Domain Validation, click More > Reset all records to Global.

Manually re-enable domain separation

Use the following steps to manually re-enable domain separation if it was previously disabled.

Before you begin

Role required: admin

Procedure

  1. Navigate to Domain Admin > Configuration.
  2. Select the domain table. For example, to navigate to the Group [sys_user_group] table, click User Administration > Groups.
  3. Select the domain query method. For example, Switch to Domain Paths.
  4. For Enable domain separation, select the Yes check box.
  5. Click Save.