Domain separation and Safe Workplace suite

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain Separation and Safe Workplace Suite

    The Safe Workplace suite applications support domain separation at a Basic level, excluding the Safe Workplace Dashboard. Domain separation allows for the organization of data, processes, and administrative tasks into logical domains, enhancing control over user access and data visibility. This functionality is crucial for managing multiple tenants effectively and ensuring proper data routing and aggregation.

    Show full answer Show less

    Key Features

    • Domain Separation Levels: Applications are categorized by support levels, including Basic and Enhanced, which provide varying degrees of data and business logic separation.
    • Core Domain and Property Tables: The suite includes the snimtcoredomain and snimtcoreproperty tables, which facilitate domain partitioning and property overrides by domain.
    • Scheduled Jobs: Jobs run separately for each domain, utilizing the core domain table for data processing, and are automatically configured to operate across multiple domains.
    • Parent-Child Domain Limitations: Applications do not support parent domains with child domains, preventing data processing duplication.
    • Domain-Separated Properties: Properties must be explicitly overridden for domains to be visible and editable in the applications.

    Key Outcomes

    By implementing domain separation within the Safe Workplace suite, ServiceNow customers can effectively manage data across multiple domains, control user access, and customize application behavior per tenant. This ensures compliance with data privacy standards, improves operational efficiency, and enhances user experience across various applications such as Contact Tracing and Health and Safety Testing.

    The Safe Workplace suite applications support domain separation at the Basic level with the exception of Safe Workplace Dashboard.

    With domain separation, you can separate data, processes, and administrative tasks into logical groupings called domains. You can then control aspects in each domain, including what users can see or whether they can access the data.

    Domain separation support

    ServiceNow applications that support domain separation might support the separation of data and data routing only, have advanced business logic separation, or support customer-level administration of the application. ServiceNow applications are defined with incremental support levels from the perspective of actual use cases and the people who use them.
    • Basic
      • Data is domain-separated.
      • Logic exists to ensure proper data routing, caching, rollups, and aggregations.
      • Global configuration is operational for multiple tenants
    • Standard
      • Application properties are domain-aware as needed.
      • Business logic can be domain-separated by the instance owner per tenant.
    • Enhanced: Data-driven process enables failsafe configuration by tenants through the UI to drive business logic.

    For more detail on the support levels, see Application support for domain separation.

    How domain separation works in Safe Workplace applications

    The following applications use the Safe Workplace domain table:
    • Contact Tracing
    • Health and Safety Testing
    • Emergency Outreach (Daily Contact Logs, Privacy Consent, and Privacy Consent (common))
    • Emergency Exposure Management

    Admins must install the Domain separation pluginbefore working with these application tables. Most of those tables contain a sys_domain field so they are able to be domain-separated if they have data that needs to be partitioned by domain.

    • Core domain table: Included in the Safe Workplace plugin is an sn_imt_core_domain table. Domains in this table are iterated when scheduled jobs run.
    • Property table: The sn_imt_core_property table extends the sys_properties table and adds a sys_domain field. Adding that field allows sys_properties values to be overridden for a domain.
    Note:
    Values are handled differently for password2​ fields than for other property types. Therefore, the value displays as blank in the domain-separated properties list view.

    The following tables do not have the sys_domain field:

    • app-imt-checkin
      • sn_imt_checkin_outreach_sysauto_script (extends sysauto_script)
      • sn_imt_checkin_response_criteria
      • sn_imt_checkin_response_option_for_health
      • sn_imt_checkin_response_option_survey
      • sn_imt_checkin_response_script
    • app-imt-diagnosis: task_compliance_result
    • app-imt-tracing
      • sn_imt_tracing_wifi_access_register_job
      • sn_imt_tracing_wifi_access_register_stage
    • app-imt-core: sn_imt_core_sysauto_script (extends sysauto_script)

    Scheduled jobs in applications with this level of domain separation run separately for each domain in the table. Scheduled jobs use the core table as the domain source table, and the Domain Iterator check box is automatically enabled by default when domain separation is installed. When the Domain Iterator option is enabled, the job can run in multiple domains.

    The Domain Source Table value is also set to Safe Workplace Domains by default. If you don't see the tables, verify that the Domain Iterator and Safe Workplace Domains settings are selected, and refresh the instance.
    Figure 1. Domain iterator option selected in the Employee Readiness Core Scheduled Script Execution form
    Domain iterator option selected in the Employee Readiness Core Scheduled Script Execution form.

    Parent-child domains

    Domains that also contain a sub-domain or “child” domain are not supported in these applications. Running a job in a parent domain that has a child would mean running the job twice and thus processing the data more than once. You could add a parent domain or add just the child domain but not both.

    Working with domain-separated properties in the Safe Workplace Suite

    When the Domain separation plugin is installed and you navigate to the Properties page in any of the four Safe Workplace domain-separated applications, their properties do not display by default. You must override properties for a domain before they appear in the list.
    Figure 2. Domain-separated properties list with no properties displaying
    Domain-separated properties list with no properties displaying.
    To display the properties, click New on the Properties page. In the form that creates a new domain-separated property, search in the reference field for the property you would like to override. Enter a specific prefix to narrow your search:
    • sn_imt_core for Employee Readiness Core
    • sn_imt_diagnosis for Emergency Exposure Management
    • sn_imt_health_testing for Health and Safety Testing
    • sn_imt_tracing for Contact Tracing
    Figure 3. Entering a prefix in the Property field to narrow the search
    Entering a prefix in the Property field to narrow the search.
    The properties display with a full description of the overrides.
    Figure 4. System Properties list showing the property overrides
    System Properties list showing the property overrides.
    After you create your domain-separated property override, the form displays the domain-separated properties.
    Figure 5. List showing the domain-separated properties
    List showing the domain-separated properties.

    You can navigate back to the record form by selecting a property name in the list.

    Property functions

    Learn more about how these properties function in the following topics: