Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Now Platform administration
Table of Contents
Choose your release version
    Home Madrid Now Platform Administration Now Platform administration Platform security Domain separation Understanding domain separation Domain scope

    Domain scope

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Domain scope

    Domain scope defines what users can and cannot access.

    Every user has two domain scopes when establishing a session in a domain-separated instance.

    • Session scope is set upon session establishment to the domain listed in the user's user record. Users can manually change their session domain scope from the domain picker.
    • Record scope uses the domain of the record and is active when viewing the form of any record.

    By default, the record scope takes precedence over the session scope so that users in higher level domains adhere to each record's data and process constraints. However, these users can choose to expand or collapse the domain scope to show or hide data from other domains. For example, a user in the Service Provider (SP) domain also has visibility into child domains such as the ACME domain. When looking at an incident record from the ACME domain, the user can choose to expand the domain scope to show values from the SP domain or collapse the domain scope to show only record values that match the record's ACME domain.

    Note: Users always have access to data from domains that have been explicitly granted to them by domain visibility.

    Users with the domain_expand_scope user role can select the domain scope from the Toggle Domain Scope UI action on the form. When record scope is in effect, click the UI action to expand to session scope and display all data available based to the user's domain and child domains. When session scope is in effect, click the UI action to collapse to record scope and display only data that matches the current record's domain.

    Note: A record does not display the UI action to toggle the domain scope if the record is in the global domain or if the user's domain matches the record's domain.

    Record value selection from other domains

    Users who can see multiple domains have the option to select record values from a domain that is different than the record's domain.

    For example, service desk agents working for a service provider might want to assign certain incidents to themselves to resolve issues on behalf of their customers. When they do this, the incident Assigned to field might contain a user from the SP domain, even though the incident record itself is associated with a child domain such as ACME.

    Selecting a record value from another domain does not change the record's domain. The record retains its original domain. When a user views a record with values from multiple domains, the user's domain visibility determines what they see.

    Table 1. Record value selection
    When these conditions are met The user has access to these UI elements
    The user has access to the domain of the current record referenced in a field. The user can:
    • See reference field display value. For example, sees the user name in the Assigned to field.
    • See the related record from reference icon. For example, sees the user record for the user in the Assigned to field.
    • Select values from any visible domain. For example, can select users from either the SP and ACME domains.
    The user does not have access to the domain of the current record referenced in a field. The user can:
    • Not see reference field display values. (This is the case if domain separation was activated in Madrid or later releases and the user doesn't have access to the domain of that record.)
    • Only select values from the record's domain. For example, can only select users from the ACME domain.

    Domains and associated companies

    With domain separation you can cascade changes you make to a company record to the domain and other records associated to the company.

    By default, the system automatically assigns users to the same domain as their company. For example, all users of the ACME company automatically become members of the TOP/ACME domain.

    Note: Users with the admin role can change their own user records and therefore change domains. Service Providers may want to either disable delegated administration or set up an approval process to verify that the user needs the admin role.

    When you change a company's domain, the instance automatically changes the domain of the following associated records to match the company's new domain.

    • Locations
    • Departments
    • Groups
    • Users
    Note: The instance does not automatically change the domain of any record where you have selected the Managed domain checkbox.

    Domain deactivation and associated companies

    When you deactivate a domain, the instance also automatically completes the following actions.

    • Deactivates all companies in the domain.
    • Prevents all users assigned to the inactive company from logging in.
    Note: When a user from an inactive company attempts to log in, the user sees an error message.

    For example, if you deactivate the ACME domain from the sample data, the instance also deactivates the ACME company, and the three sample users are locked out.

    Figure 1. Login error message example
    Login error message example
    Related concepts
    • Domain assignment
    • Visibility domains and Contains domains
    • Domain query methods
    Related reference
    • Application support for domain separation
    • Installed with domain separation

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Domain scope

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Domain scope

      Domain scope defines what users can and cannot access.

      Every user has two domain scopes when establishing a session in a domain-separated instance.

      • Session scope is set upon session establishment to the domain listed in the user's user record. Users can manually change their session domain scope from the domain picker.
      • Record scope uses the domain of the record and is active when viewing the form of any record.

      By default, the record scope takes precedence over the session scope so that users in higher level domains adhere to each record's data and process constraints. However, these users can choose to expand or collapse the domain scope to show or hide data from other domains. For example, a user in the Service Provider (SP) domain also has visibility into child domains such as the ACME domain. When looking at an incident record from the ACME domain, the user can choose to expand the domain scope to show values from the SP domain or collapse the domain scope to show only record values that match the record's ACME domain.

      Note: Users always have access to data from domains that have been explicitly granted to them by domain visibility.

      Users with the domain_expand_scope user role can select the domain scope from the Toggle Domain Scope UI action on the form. When record scope is in effect, click the UI action to expand to session scope and display all data available based to the user's domain and child domains. When session scope is in effect, click the UI action to collapse to record scope and display only data that matches the current record's domain.

      Note: A record does not display the UI action to toggle the domain scope if the record is in the global domain or if the user's domain matches the record's domain.

      Record value selection from other domains

      Users who can see multiple domains have the option to select record values from a domain that is different than the record's domain.

      For example, service desk agents working for a service provider might want to assign certain incidents to themselves to resolve issues on behalf of their customers. When they do this, the incident Assigned to field might contain a user from the SP domain, even though the incident record itself is associated with a child domain such as ACME.

      Selecting a record value from another domain does not change the record's domain. The record retains its original domain. When a user views a record with values from multiple domains, the user's domain visibility determines what they see.

      Table 1. Record value selection
      When these conditions are met The user has access to these UI elements
      The user has access to the domain of the current record referenced in a field. The user can:
      • See reference field display value. For example, sees the user name in the Assigned to field.
      • See the related record from reference icon. For example, sees the user record for the user in the Assigned to field.
      • Select values from any visible domain. For example, can select users from either the SP and ACME domains.
      The user does not have access to the domain of the current record referenced in a field. The user can:
      • Not see reference field display values. (This is the case if domain separation was activated in Madrid or later releases and the user doesn't have access to the domain of that record.)
      • Only select values from the record's domain. For example, can only select users from the ACME domain.

      Domains and associated companies

      With domain separation you can cascade changes you make to a company record to the domain and other records associated to the company.

      By default, the system automatically assigns users to the same domain as their company. For example, all users of the ACME company automatically become members of the TOP/ACME domain.

      Note: Users with the admin role can change their own user records and therefore change domains. Service Providers may want to either disable delegated administration or set up an approval process to verify that the user needs the admin role.

      When you change a company's domain, the instance automatically changes the domain of the following associated records to match the company's new domain.

      • Locations
      • Departments
      • Groups
      • Users
      Note: The instance does not automatically change the domain of any record where you have selected the Managed domain checkbox.

      Domain deactivation and associated companies

      When you deactivate a domain, the instance also automatically completes the following actions.

      • Deactivates all companies in the domain.
      • Prevents all users assigned to the inactive company from logging in.
      Note: When a user from an inactive company attempts to log in, the user sees an error message.

      For example, if you deactivate the ACME domain from the sample data, the instance also deactivates the ACME company, and the three sample users are locked out.

      Figure 1. Login error message example
      Login error message example
      Related concepts
      • Domain assignment
      • Visibility domains and Contains domains
      • Domain query methods
      Related reference
      • Application support for domain separation
      • Installed with domain separation

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login