Domain separation and the Password Reset application

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Domain separation and the Password Reset application

    The Password Reset application in ServiceNow supports domain separation, allowing organizations to isolate password reset processes by domain. This separation ensures that data, processes, and administrative tasks are logically grouped and controlled by domain, enhancing security and tailored configuration for different tenants or organizational units within a single instance.

    Show full answer Show less

    Key Features

    • Domain-Aware Processes: Each password reset process is defined and operates within a specific domain, preventing cross-domain access or interference.
    • Configurable Elements Per Domain: Administrators configure key components such as connections to credential stores, user groups, identification methods, and verifications within the context of a domain.
    • Credential Store Connections: Connections inherit domain settings from connection types, maintaining domain-specific security and uniqueness constraints.
    • User Group and Enrollment: Users can only enroll in password reset processes available in their assigned domain, leveraging standard ServiceNow domain separation for user accounts.
    • Identification and Verification: Both identification methods and verification types inherit domain settings and enforce uniqueness within domains to ensure accurate identity validation.
    • Domain Separation in Data and Business Logic: All Password Reset tables include a domain column, and process-related business rules and UI actions respect domain overrides to maintain separation.
    • Built on Orchestration: The application uses Orchestration's "Data only" domain separation model, which separates data visibility between domains.
    • Password Change Extension: The Password Change application extends functionality to allow users to change their passwords through self-service forms restricted to their domain, without service desk assistance.

    Key Outcomes

    • Enables service providers or administrators to configure password reset and change processes tailored to specific tenants or organizational domains within a shared instance.
    • Improves security and compliance by isolating password reset data and workflows per domain, ensuring users and admins access only relevant domain-specific information.
    • Supports multiple distinct password reset processes in a single instance, each with unique configurations and user group assignments per domain.
    • Facilitates seamless self-service password management for end users within their domain, accessible via any supported device and interface.

    Domain separation is supported in the Password Reset application. A password reset process that you define in any domain is isolated from a process that you create in any other domain. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Standard

    • Includes all aspects of Basic level support.
    • Application properties are domain-aware as needed.
    • Business logic: The service provider (SP) creates or modifies processes per customer. The use cases reflect proper use of the application by multiple SP customers in a single instance.
    • The instance owner must configure the minimum viable product (MVP) business logic and data parameters per tenant as expected for the specific application.

    Sample use case: An admin must be able to make comments required when a record closes for one tenant, but not for another.

    For more information on support levels, see Application support for domain separation.

    How domain separation works in Password Reset

    Domain separation for Password Reset is applied at the process level. The admin configures the following elements to define a password reset process: A connection to a credential store, user groups that can use the process, method of identification, and verifications to use during the process.

    • A connection to the credential store where user credentials (like username/password) are securely stored. Each connection inherits the domain setting from a template called a connection type. Each connection type is tied to a domain (the connection type record has a domain field). There are uniqueness constraints on connection names within a domain.
    • One or more user groups on the ServiceNow instance that can use the password reset process. User accounts are members of one or more domains — they use the standard ServiceNow domain separation. When a user enrolls to use one of the password reset processes that is configured for the organization, the user is allowed to choose only from the processes in the user’s domain.
    • The identification — the method that the end user employs to claim identity for the public password reset or password change process. Each identification inherits the domain setting from a template called an identification type. Each identification type is tied to a domain (the identification type record has a domain field). There are uniqueness constraints on identification names within a domain.
    • One or more verifications — methods to verify the identity of the person who is attempting to reset the password. Each verification inherits the domain setting from a template called a verification type. Each verification type is tied to a domain (the verification type record has a domain field). There are uniqueness constraints on verification names within a domain.
    • All Password Reset tables have a domain column.
    • Password Reset process tables include a sys-overrides column on business rules, UI actions, and so on.
    • The Password Reset application is built using Orchestration. Orchestration supports "Data only" domain separation — the data security model of separating visibility of data from one domain to another.

    Password Change process

    The Password Change application extends the Password Reset application by letting admins define how users change their passwords. A service desk-assisted process is not supported. An admin must publish the URL for the self-service password change form.

    The Password Change application enables an end user to change a password over the Internet using a browser on any supported interface, including mobile devices. The end user can select from any configured process in the end user’s domain (or child domain of an end user’s domain).

    A password change process uses the same elements as a password reset process (connections, user groups, identifications, and verifications), with the same domain-separation features.