Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Visibility domains and Contains domains

Log in to subscribe to topics and get notified when content changes.

Visibility domains and Contains domains

Visibility domains control what a specific user can see, while Contains domains control what an entire domain of users can see.

Visibility domains

Visibility domains is a related list on the user record that determines whether users from one domain can access records from another domain. Granting users a visibility domain grants all the rights they would normally have to the record based on ACL rule permissions.

A visibility domain:

  • Is a user-to-domain relationship and is explicitly granted.
  • Is not a child domain.
  • Is not controlled by the selection in the domain picker. Once the user is granted access to a visibility domain, they always see data in that domain and its children.
Note: Using visibility domains excessively is not recommended. Although visibility is one method to allow users to access records, it is recommended that you use contains domains for more robust control.

Contains domains

Normally parent-child relationships define the domain hierarchy. A contains domain lets you relate domains on an as-needed basis, independent of parent-child relationships. However, contains domains only grant visibility to domain data. Processes remain unaffected by contains relationships.

A contains domain:

  • Is a many-to-many, domain-to-domain relationship.
  • May have child domains. When a domain is selected, you can see the data from that domain and its children.
  • Is controlled by the selection in the domain picker.

Contains domain example

A user has access to domain A (the user's home domain) and is granted visibility to domains B and C. The user selects domain A in the domain picker. In this case, the user has access to domains A, B, and C. If the user changes the domain picker to domain B, B and C are visible. C is still visible because the user still has visibility to it. A is not visible, because it is not selected in the domain picker and it is not a visibility domain.

Visibility domain example

Using domain visibility, if Don Goodliffe is in the Database domain, and Bow Ruggeri is in the Network domain, and no incidents are in the global domain, then Don Goodliffe cannot access Bow Ruggeri's incidents because of data separation.

Figure 1. Sample set of domain-separated incident records
Sample set of domain-separated incident records
Figure 2. Bow Ruggeri's incident list
Bow Ruggeri's incident list
Figure 3. Don Goodliffe's incident list
Don Goodliffe's incident list

You can add the database domain as a visibility domain to Bow Ruggeri's user record. Then Bow Ruggeri can access Don Goodliffe's incidents, since he now has visibility to the database domain. If you remove the visibility domain, then Bow Ruggeri can no longer access incidents in the database domain.

Figure 4. Bow Ruggeri's incident list with visibility domain
Bow Ruggeri's incident list with visibility domain

Inherit visibility domains based on group membership

If you set the domain table to the Group [sys_user_group] table, users can inherit visibility domains based on their group membership.

For example, as a member of the Database group, Don Goodliffe also automatically gains the Database domain as a visibility domain. Group membership grants visibility to any matching domain name.

Inherit visibility domains based on group membership
Feedback