Domain separation setup and basic administration

Setting up domain separation involves requesting activation of a plugin, setting options, and assigning users and records to domains.

Request domain separation

All domain support features are activated with a plugin called Domain Support - Domain Extensions. Administrators can request activation of this plugin.

Before you begin

Role required: admin

About this task

If the Domain Support - Domain Extensions plugin is already active, content in the Domain Support - Domain Extensions plugin will not be installed to avoid potential conflict with an existing implementation.

Domain separation replaces Company Separation. Starting with the Helsinki release, the Company Separation plugin can no longer be activated. However, if company separation is already active when you activate domain separation, both plugins are active at the same time. You can control the company separation activation status with the glide.db.separation.field property.

Note: Domain paths are used for all customers on Helsinki and later. Domain numbering is no longer used. ServiceNow support can assist in the upgrade.

Procedure

  1. In the HI Service Portal, click Service Catalog > Activate Plugin.
  2. Fill out the form.
    Target Instance Instance on which to activate the plugin.
    Plugin Name Name of the plugin to activate.
    Specify the date and time you would like this plugin to be enabled

    Date and time must be at least 2 business days from the current time.

    Note: Plugins are activated in two batches each business day in the Pacific timezone, once in the morning and once in the evening. If the plugin must be activated at a specific time, enter the request in the Reason/Comments.
    Reason/Comments Any information that would be helpful for the ServiceNow personnel activating the plugin such as if you need the plugin activated at a specific time instead of during one of the default activation windows.
  3. Click Submit.

Result

Activating the Domain Extension plugin enables these features:
  • Domain separation is based on the Domain [sys_domain] table.
  • Delegated administration lets each domain have separate policy.
  • All records are part of the global domain.
  • The current user's domain determines the domain to use when viewing or operating on a record in a different domain.

Access the Domain Configuration console

Use the Domain Configuration module to enable, configure, and view the status of domain separation support.

About this task

You can set domain separation configuration options, such as selecting the domain table and enabling delegated administration. You can also view domain alerts.

Procedure

  1. Navigate to Domain Admin > Configuration.
    The Domains Configuration page appears.
    Domains configuration page
  2. Configure the following Domain Separation options:
    Field Description
    Domain Table Shows the table containing domain names. By default, the system uses the Domain [domain] table. Click Change domain table to change the table.
    Change domain table Select the table containing domain names for domain separation. You can select any existing table. By default, the system uses the Domain [domain] table.
    Warning: No domain can have the name global. Verify that the name global is not used in any of the domain names in the table before saving the domain configuration.
    Domain Validation Shows the status of last domain validation run. Click Validate domains hierarchy to run Domain Validation. See the Domain Alerts section or the syslog_domain table to view any warnings or errors in detail.
    Validate domains hierarchy Run the domain validation. See Validate domain hierarchy.
    Show tables with sys_domain field Show all the tables with the Domain field. Lists all the Dictionary Entries of tables with the Domain [sys_domain] field.
    Domain Progress Workers Lists any currently running conversion or validation processes.
    Domain Alerts Lists any information, warning, or error messages relating to domain separation. You can also find this information in the syslog_domain table.
    Enable Domain Separation Select whether to enable or disable domain separation. By default, domain separation is enabled. You can manually disable domain separation with this setting. However, the sys_domain column will still be present on any table it was added to. This option maps to the glide.sys.domain.partitioning system property.
    Enable Delegated Administration Select whether to enable or disable delegated administration. Activating the plugin automatically enables delegated administration. You can manually disable delegated administration with this setting. This option maps to the system property glide.sys.domain.delegated_administration. This property controls process separation.
    Enable verbose domain logging Select whether to enable additional debugging information for domain separation. This option maps to the system property system property glide.sys.domain.verbose.
    Note: When both glide.sys.domain.delegated_administration and glide.sys.domain.partitioning are disabled, all domains are disabled. Users logging in have their session domain set to global.

Create a domain

You can create a domain by creating a record in the [domain] table.

Before you begin

Role required: admin

About this task

When creating a new domain, keep the following in mind:

  • Only one domain can be the default domain.
  • Only one domain can be the primary domain.

Procedure

  1. Navigate to Domain Admin > Domains.
  2. Click New.
  3. Fill in the necessary fields (see table).
  4. Click Submit.
    Creating a new domain
    Table 1. Domain form fields
    Field Description
    Name Enter a unique name for the domain.
    Type Select a domain type that describes the domain. By default the domain types are Vendor, Customer, and MSP. You can also add your own choices.
    Primary Select the check box if this domain is to be the top-level domain in the hierarchy. The top-level domain only has child domains and no parent domains.
    Parent Select the name of the domain higher in the hierarchy that contains this domain. This field must have a value for the domain to appear in the domain map.
    Active Select the check box to make the domain available for use. You must select this option for this domain to appear in the domain map.
    Description Enter a description for the domain.

    Each domain record can also have several related records:

    • Companies
    • Contains Domains
    • Contained By

What to do next

To change the domain hierarchy, go to the Contains Domains related list and select the domain records that is the child (contained) domains of the contains relationship.

Add a user and a record to a domain

By default, all users and records are part of the global domain and are therefore accessible to all users.

Before you begin

Role required: admin

About this task

To use data separation and delegated administration, you must first assign users and their relevant records to one or more domains.

Procedure

  1. Personalize the list or form to add the Domain field.
  2. Set the Domain field for the user or record.
    For example, assign Bow Ruggeri to the Network domain. Assign Don Goodliffe to the Database domain. Add the Network and Database domains to relevant records such as incidents, configuration items, requests.
    Add Domain

Make a domain the default

The default domain is the domain to which the system automatically assigns task and user records that are not already assigned to a domain.

Before you begin

Role required: admin

Procedure

  1. Navigate to Domain Admin > Domains.
  2. Open the domain you want to be the default domain. For example, Default.
  3. Configure the form layout to add the Default field.
  4. Select the Default check box.
  5. Click Update.
    The Default option on the Domain form
    Note: If you do not set a default domain, then new tasks and user records are placed in the global domain.

Manually manage the domain for particular records

By default, the system automatically assigns a domain based on the user's company record. In some cases, however, domain administrators want to manually manage which domain a particular record belongs to.

Before you begin

Role required: admin

About this task

The Managed domain field allows domain administrators to manually select a domain for the user, group, department, location, or CI record, rather than using the domain assigned automatically from the company record. The Managed domain field is available on these record types.

  • User records
  • Group records
  • Department records
  • Location records
  • CI records

Procedure

  1. Navigate to the record you want to manually manage.
  2. Select the Managed domain check box.
  3. From the Domain field, select the domain for the record.
  4. Click Update.
    Changing the managed domain

    Clearing the Managed domain check box hides Domain field and the record uses the domain value from the record's company.

Activate or deactivate a domain

When you activate or deactivate a domain, the activation status cascades to companies within the domain.

Before you begin

Role required: admin

About this task

When you activate a company record, domain separation automatically activates the company's associated domain. For example, if you activate the ACME company, then you also activate the TOP/ACME domain.

Procedure

  1. Navigate to the domain record.
  2. Clear or select the Active check box.
  3. Click Update.
    Warning: Do not delete domains. Deactivate domains that you no longer need instead of deleting them.

Add a domain field to a table

Administrators can domain separate custom tables by adding a sys_domain field to it.

Before you begin

Role required: admin

Procedure

  1. Navigate to the table's list view. For example, type <table name>.list in the navigation filter.
  2. Right-click the list header and select Configure > List Layout.
  3. In the Create new field section, enter sys_domain as the Name and Domain ID as the Type.
  4. Click Add.
  5. Click Save.
    Note: Any other means of creating a field adds a u_ prefix to the column name. For domain separation to work the column name must be sys_domain without any u_ prefix.

Use a custom table for the domain table

You can use a custom table as the domain table if the custom table contains a reference field column called parent that refers back to the custom table.

Before you begin

Role required: admin

Procedure

  1. Create a custom table to store the domain information. For example:
    Table Column name Type Reference
    u_organization u_name string
    u_organization u_description string
    u_organization u_location reference cmn_location
  2. Create a reference field within the custom table that refers back to the custom table. For example:
    Table Column name Type Reference
    u_organization parent reference u_organization
    Create Parent field
  3. Select the custom the table from the list of tables in the New Domain Table list.
    Select custom table
  4. Click Reset Data to make these changes:
      • The domain table changes to the table you selected.
      • All existing records with a domain value are reset to the global domain.
      • All existing domain overrides are deleted.
      • All existing domain contains definitions are deleted.
      • All existing domain visibility settings, both user and group, are deleted.
  5. Click Ignore Data to make these changes:
      • The domain table changes to the table you selected.
      • All domain visibility settings, both user and group, are deleted.
      • All existing records with a domain value refer to invalid domains until you migrate the domain data.
      • All existing domain overrides refer to invalid domains until you migrate the domain data.
      • All existing domain contains definitions refer to invalid domains until you migrate the domain data.
      Note: Visibility settings are deleted whenever the domain table reference changes.

      When you select the ignore option, no existing domain-separated tables are moved to the global domain, and it is your responsibility to migrate the domain records. Until the migration is complete, the domain validator shows warnings about inconsistent domain data. If necessary, you can manually reset all domain-separated tables to the global domain.

Create contains relationships between domains

Creating a contains relationship between domains changes the domain hierarchy.

Before you begin

Role required: admin

About this task

Domains in a contains relationship inherit the visibility settings of the containing domain. The containing domain allows users to see data in the contained domain as well as any of its children. Processes are unaffected by a contains relationship.

Procedure

  1. Navigate to the domain table.
  2. Select the domain record that is the parent (container) domain of the new contains relationship.
  3. Toggle the domain scope to switch between the session scope and record scope, if necessary.
  4. From the Contains Domains related list, click Edit.
  5. Select the domain records that is the child (contained) domains of the contains relationship. Only child domains appear by default when the domain picker is set to Global. Toggle the domain scope to see all domains in slushbucket.
  6. Click Save, and then click Update.
    Contains Domains

Change domain visibility

By default, when a user in the global domain views a table containing a sys_overrides column, the user sees records from only the global domain.

Before you begin

Role required: admin

Procedure

  1. Change the glide.sys.restrict_global_domain_processes property to true.
  2. To view records from all domains, click Expand Domain Scope under Related Links.
  3. To return to viewing records from the global domain only, click Collapse Domain Scope.

Add domains to a visibility domains list

Adding a visibility domain allows a user or group to see and potentially edit records from another domain regardless of the user or group's normal domain membership.

Before you begin

Role required: admin

About this task

Assigning visibility domains to all members of a group is preferred over granting them to individual users.
Note: Adding a visibility domain does not change a table or record's access control rule requirements.

Procedure

  1. Navigate to the domain table.
  2. Select the group you want to provide with visibility domains.
  3. Add the Visibility domains related list to the form.
  4. From the Visibility domains related list, click Edit.
  5. Select the domain records you want the group or domain to see.
  6. Click Save, and then click Update.
    Visibility Domains group

Grant visibility domains to an individual user

You can add visibility domains for specific users on the User form.

Before you begin

Role required: admin

Procedure

  1. Navigate to User Administration > User.
  2. Select the user you want to provide with visibility domains.
  3. Add the Visibility domains related list to the form.
  4. From the Visibility Domains related list, click Edit.
  5. Select the domains whose records you want the user to see.
  6. Click Save, and then click Update.
    The Visibility domain embedded list contains the following fields.
    Field Description
    Domain Domain that is visible to the group or user.
    Inherited Domain is inherited from domain visibility or a parent domain.
    Granted By Name of the group that granted domain visibility.
    Parent visibility Name of the parent domain and used for grouping records. If the parent record is deleted, then all records with the same parent are deleted as well.

Select a primary domain

The primary domain indicates the top-level domain in the domain map.

Before you begin

Role required: admin

About this task

The primary domain cannot have a parent domain and must have at least one child domain. There can only be one primary domain at a time. If you select another domain as the primary domain, it overrides the previous primary domain.

Procedure

  1. Navigate to Domain Admin > Domains.
  2. Select the domain you want to be the primary domain. For example, TOP.
  3. Select the Primary check box.
  4. Click Update.
    Selecting a primary domain

Create a domain-specific choice list

Administrators can configure choice lists to contain entries specific to a particular domain.

Before you begin

Role required: admin

Procedure

  1. Select the domain from domain picker where the choice should be added.
  2. Right-click the field and select Configure Choices.
  3. Update or add choices.
  4. Push changes through the normal change process such as update sets.
    Note: Administrators should ensure that choices are unique across domains to prevent administrative confusion in the global domain.

    If an administrator adds a new choice from the global domain, then users from domains lower in the hierarchy see the new choice at the end of their current choice lists. If the new choice is not active at the global level, then it is available to the domain users via Configure Choices but does not show as an active choice.

Validate domain hierarchy

By default, the instance validates the domain hierarchy every time you change the domain table, change the query method, or reset the records to the global domain.

Before you begin

Role required: admin

Domain hierarchy validation might take an excessive amount of time if there are a large number of records in a table.

About this task

The Domain Progress Workers list displays any currently running domain tasks. Use the following procedure to manually start the validation process.
Note: Domain paths are used for all customers on Helsinki and later. Domain numbering is no longer used. ServiceNow support can assist in the upgrade. When you create a domain or update the parent of a domain, the system runs a scheduled job to recalculate domain paths. The result of the scheduled job, use the following URL: https://<your-instance-name>/syslog_domain_list.do

Procedure

  1. Navigate to Domain Admin > Configuration.
  2. Click Validate domains hierarchy.
  3. After the validation process completes, review the Domain Alerts section for any renumbering or path conversion errors.
    The domain validation process automatically fixes some validation errors and provides information about errors that cannot be automatically fixed.
    UI domain validation errors

What to do next

If domain hierarchy validation takes an excessive amount of time due to a large number of records in a table, you can exclude these tables from the validation process. To do so,
  1. Add this property to the System Properties [sys_properties] table: glide.sys.domain.validation_skip_threshold.
  2. Set the integer value to the maximum number of records that a table can have for it to be validated. Tables with a larger number of records than this value are not validated. The default value is 10000000.

You can also view the domain log by click a domain log record.

Figure 1. UI domain log
Domain log

View domain relationships

The domain map offers domain administrators a read-only representation of the active domains on the instance and how they relate to each other.

Before you begin

Role required: admin

About this task

All domain maps must have one domain set as the primary domain. In addition, each domain in the domain map must meet these criteria:

  • The Parent field must be filled in (the primary domain is the only exception to this).
  • The Active check box must be selected.

The domain map does not draw domain relationships for domains that fail to meet the mapping criteria.

Procedure

  1. Navigate to Domain Admin > Domain Map.
  2. Click the plus (+) or minus (-) icons on the domain headers to show or hide sub domains.

View a list of tables using domain separation

You can view a list of all domain-separated tables from the Configuration module.

Before you begin

Role required: admin

Procedure

  1. Navigate to Domain Admin > Configuration.
  2. Click Show tables with sys_domain field.

Exempt roles from the current record domain

By default, all roles use the domain of the current record when Use the domain of the record being viewed instead of the user's own property is true.

Before you begin

Role required: admin

About this task

You can provide a list of roles that ignore this property and always use the user's domain rather than the record's domain. You may want certain roles such as administrators to always work from their own domain rather than use the domain of the record they are viewing.

Procedure

  1. Navigate to Domain Admin > Configuration.
  2. For List of roles (comma-separated) that will not trigger the automatic change of domain to the domain of the record that is being viewed, enter a comma-separated list of roles that ignore automatic domain change behaviors.
  3. Click Save.

Manually re-enable domain separation

Use the following steps to manually re-enable domain separation if it was previously disabled.

Before you begin

Role required: admin

Procedure

  1. Navigate to Domain Admin > Configuration.
  2. Select the domain table. For example, to navigate to the Group [sys_user_group] table, click User Administration > Groups.
  3. Select the domain query method. For example, Switch to Domain Paths.
  4. For Enable domain separation, select the Yes check box.
  5. Click Save.