Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Understanding domain separation

Log in to subscribe to topics and get notified when content changes.

Understanding domain separation

Separate data, processes, and administrative tasks into logically defined domains.

Use domain separation to accomplish the following goals:

  • Enforce absolute data segregation between business entities.
  • Customize business process definitions and user interfaces for each domain.
  • Maintain some global processes and global reporting in a single instance.
  • Separate data between customers or sub-organizations.
  • Have minor or moderate process differences only among customers or sub-organizations.

Domain separation compared to separate instances

While the behavior offered with domain separation provides multi-tenancy support, multi-tenancy is still contained within a single instance. Some global properties, some global data, and some global processes are shared across all domains. For example, the option to have the system Remember me on the login page of the system is global and cannot be specified per domain.

If you need complete and total separation of all system properties and do not require global reporting or global processes, then separate instances is the best option.

Data separation

Members of a domain only see the data contained within their domain or the child domains that are lower in the domain hierarchy. By default, all users and all records are members of the global domain unless an administrator assigns them to a particular domain. The instance compares the domain of the user to the domain of the record, to determine what is visible. For example, consider the following domain hierarchy:

Figure 1. Example of domain hierarchy

In this domain hierarchy:

  • Bow Ruggeri can see any records in the Database Atlanta or the global domain.
  • Don Goodliffe can see any records in the Database San Diego or the global domain.
  • David Loo can see any records in the NY DB or the global domain.
  • Fred Luddy, ITIL User, Beth Anglin can see any records in the Database, Database Atlanta, Database San Diego, NY DB, or the global domain.

Users in the global domain can see all records, regardless of the record's domain settings. Users are not able to see across domains or records at a higher level in the hierarchy.

Note: Guest users must be part of the global domain.
In general, data defined at a higher level in the domain hierarchy is not visible at lower levels in the hierarchy. However, the following records behave like policies:
  • Form sections
  • Options in a choice list

When defined at a higher level in the hierarchy, these records are visible in child domains.

Domain path migration

Domain paths are used for all customers. Domain numbering is not used. ServiceNow Technical Support can assist in the upgrade.

Alternatives to domain separation

Alternatives to domain separation include:
  • Before business rules
  • Access control list rules (ACLs)
  • Filters
  • Security on related record
  • Custom views
  • Form layouts
  • Notifications
  • UI action conditions
  • Advanced reference qualifiers
Warning: Before activating domain separation, consult your representative to verify that it is suitable for your environment. Domain separation adds a level of administration overhead. Although it can be disabled, it cannot be removed from an instance.