Domain assignment
-
- UpdatedAug 1, 2024
- 2 minutes to read
- Xanadu
- Now Platform Security
By default, domain separation adds a domain field to tables and their extensions.
You can also extend domain separation to any new tables you create by adding a sys_domain field to the table's dictionary definition. By default, the system only domain-separates platform and baseline application tables where appropriate.
Each record is assigned a single domain. That domain is stored in the sys_domainfield. Several tables, by default, have the sys_domain column and are already domain separated.
- Company to which the user belongs
- Business rule when creating record
- Module used when creating record
- Form template used when creating record
- Domain of the parent record
- Domain assigned to User record
- Domain of the user who creates it
The system prevents the following tables from being domain separated:
- Access Control
[sys_security_acl]
- Script Include
[sys_script_include]
- System Property
[sys_properties]
- Security Exclusion/Inclusion List Entities
[sys_security_restricted_list]
- Dictionary Entry
[sys_dictionary]
- Dictionary Entry Override
[sys_dictionary_override]
Assigning users to companies
Administrators can quickly assign users to a domain by assigning them to a company. After users are assigned to a domain, records automatically inherit the user's domain.
For example, assigning Bow Ruggeri to the ACME company automatically assigns him to the ACME domain. Assigning Don Goodliffe to the Initech company automatically assigns him to the Initech domain. Any records they create are automatically added to the appropriate domain.
Using business rules to assign domains
Administrators can use a business rule to automatically set a domain value when creating a record. The business rule must set a value in the sys_domain field. Administrators must ensure there is a sys_domain column available for the record's table. To learn more see Domain separation recommended practices for service providers.
Using modules to assign domains
Administrators can use the sysparm_domain URL parameter to
automatically assign new records to a particular domain from a module. Administrators must
create a module with an Argument value of: sysparm_domain=sys_ID
of domain
.
Using form templates to assign domains
Administrators can use a form template to automatically assign new records to a particular domain. Administrators must add the sys_domain field to the form and select a domain value. For example, setting the sys_domain field to TOP/ACME domain automatically assigns all records from this template to the TOP/ACME domain.
Domain inheritance on tables
By default, related records inherit the domain of the parent record. For example:
- A change task record inherits the domain of the parent change request record.
- A problem record inherits the domain of the parent incident record.
Automatic domain assignment based on user domains
If no other domain conditions apply, a record automatically inherits the domain of the user who creates it.
On this page
Related Content
- Configuration that can be delegated to internal or external customers
Domain separation is designed to give ServiceNow service providers (SPs) the ability to configure the services they offer to their customers. It is not designed to enable their customers to administer those services themselves, except in a few areas that this topic details.
- Visibility domains and Contains domains
Visibility domains control what a specific user or group of users can see. "Contains" domains control what an entire domain of users can see.
- Domain scope
Domain scope defines what users can and cannot access.
- Concepts for service providers
These concepts work with the existing ServiceNow platform capabilities to help you solve for common use cases.
- Installed with domain separation
Several platform components are added or modified with domain separation.