Domain separation explained

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain separation explained

    Domain separation in ServiceNow enables segregation of application data, user interface (UI), and business logic within a single customer instance. This multitenant platform architecture supports hierarchical modeling, allowing service providers to deliver secure, efficient, and customizable services to multiple tenants while maintaining centralized governance and administration.

    Show full answer Show less

    It is important to note that some global elements, such as system properties and table schemas, cannot be separated per tenant. Proper implementation of domain separation helps improve instance efficiency, security, and performance.

    Key Features

    • Data separation: Tenants only see data they have permission to access. Users and integrations are restricted to their domain data unless explicitly granted additional access. Data updates do not generate Update Set records, maintaining clean change management.
    • UI separation: Provides tenant-specific customization of UI elements like views, lists, labels, menus, forms, and dashboards. This allows service providers to tailor branding and user experience per customer while preserving core process logic.
    • Business logic separation: Allows tenant-specific system policies, including email notifications, business rules, client scripts, UI policies, and UI actions. Parent tenants' business logic automatically applies to child tenants but can be overridden at any level.
    • Hierarchical modeling: Supports nested tenant structures where parent tenants can access child tenant resources, enabling flexible management of tenant relationships.
    • Cross-tenant intelligence: Automates handling of data, metadata, business logic, and processing context for tenants with access to multiple domains.

    Practical Considerations for ServiceNow Customers

    • User records are assigned a home domain, restricting access to data outside their domain and its hierarchy unless advanced domain visibility is configured.
    • Implementing domain separation involves overhead but results in improved security, performance, and efficient multitenant management.
    • Service providers can leverage domain separation to maintain strong universal process standards, data-driven design, and strict governance.
    • There are recommended practices and advanced features such as domain pickers, domain path queries, and domain-specific debugging tools to optimize domain separation management.

    Expected Benefits

    • Secure and logical segregation of tenant data and processes within a single instance.
    • Customized user experiences and business logic per tenant without compromising shared infrastructure.
    • Hierarchical tenant management with the ability to override policies at different levels.
    • Efficient administration and reporting across multiple tenants while respecting domain boundaries.
    • Improved performance and governance for multitenant ServiceNow environments.

    With domain separation, you can segregate application data, UI, and business logic, such as rules or workflows, in a single customer instance. Separating these elements into logically defined domains supports specific hierarchies for all customers using your applications.

    Domain basics

    Domain separation, also known as ServiceNow multitenant platform architecture, adds considerable overhead to the management of an instance. If you use domain separation correctly though, it can improve efficiency, add greater security, and increase the performance of your customers' instances.

    You can't separate some global standards and properties, such as system properties and table schema, per tenant.

    Before you start separating domains, read the following guidelines.

    What you can do with domain separation

    • Data separation: Enables tenants of the domain to see only data that they have permissions to see. Tenants can be granted access to other tenant data but can't query tenant data that they don't have access to.
      • When you update data records, they do not generate Update Set records.
      • Users, including the customer accounts that are used for integrations, see only the data in the domains they have permission to access.
      • Customers, agents, and fulfillers see data that pertains to the customers and organizations that they support.
    • UI separation: Supports a tenant-specific experience for UI elements such as views, lists, labels, and so on.
      • You can override the browser-based user interface, including application menus, lists, forms, and dashboards. You can also customize them for a specific domain or set of domains while preserving your basic process logic.
      • Service providers can alter the displayed branding and UI elements to meet individual customer needs.
    • Business logic separation: Creates tenant-specific system policies such as email notifications, business rules, client scripts, UI policy, and UI actions.
    • Hierarchical modeling: Nests your multiple tenants so that parent tenants can access child tenant resources. Business logic for parent tenants runs automatically for child tenants, which you can override at any level.
    • Cross-tenant intelligence: Automatically handles data, metadata, business logic, and processing context for tenants with access to additional tenant data.

    Domain separation at a glance

    The following graphic shows the division of data, process, and UI separation. These concepts are discussed in depth in the Recommended Practices section.

    Types of domain separation

    Domain architecture

    User records are assigned a domain value that represents the user’s home domain. Users have no access to data in parent domains, peer domains, or domains in other branches of the hierarchy.

    See Contains queries and domain access for advanced options to grant additional domain visibility.

    The following diagram shows how the architecture process flows down to the child domains. Process flows down Data rises up