Support level: Standard
- Includes Basic level
- Processes can be created or modified per customer by the service provider. The use
cases reflect proper use of the application by multiple service provider customers in a
single instance..
- The owner of the instance needs to be able to configure MVP business logic and data
parameters per tenant as expected for the specific application
Use case: As an admin, I need the ability to make comments mandatory on close of a
record for one tenant, but not for another.Business logic:
Overview
Service Providers (SPs) use domain separation to segregate data for each customer. Users in
a given domain have visibility only to the data in their own domains or in child domains.
SPs typically control the top-level domain, which gives them visibility to data associated
with all domains. Given that Discovery domain separation support is considered
Standard there is no delegated administration to the child domains.
The SPs must retain administrative control.
How domain separation works in Discovery
Multiple domains can be supported by a single MID Server. In releases prior to Kingston,
each MID Server could support only a single domain. In newer releases, segregating domains
by MID Server is useful when the domain is large, or when the domain's resources are held in
a customer's data center rather than the SP's. For Discovery on MID Servers supporting a
single domain, the discovered CIs are assigned to the domain of the MID User used to
authenticated against the ServiceNow instance. In multi-domain MID Servers, the discovered
CIs are assigned to the domain of the user who created the Discovery schedule.
Discovery implements data domain separation through the MID Server by impersonating the MID
Server user during sensor processing. Discovery uses the domain, that the MID Server user is
in, to determine which domain the discovered data should be put into. Discovery
configuration information, including classifiers, identifiers, probes, and sensors, is not
domain separated.
Service providers generally use IP-based Discovery. In cases where the SP controls the
network addressing, they divide the address space among their customers to ensure that each
domain has a distinct IP address space. The SP assigns one or more subnets to a customer or
domain and creates Discovery schedules for those subnets.
If the SP is remotely managing their customer's data center, there will often be some
overlap between address spaces different customers use. In these cases, the SP can use
network address translation (NAT) on the IP range and run a Discovery schedule.
Once the CIs are assigned to the correct domain, the visibility and read/write access
control are provided by the platform through the domain hierarchy. Schedules are visible to
users in their respective domains. Cross-domain schedule visibility is not possible, except
for the SP who controls the parent domain and has visibility to all domains.
