Hermes Messaging Service domain separation

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Hermes Messaging Service domain separation

    Hermes Messaging Service supports domain separation, allowing ServiceNow customers to logically segregate data, processes, and administrative tasks into distinct domains. This separation controls user access to data and ensures business logic routes data to the correct domain, which is essential for multi-tenant or service provider environments.

    Show full answer Show less

    On domain-separated instances, namespaces configure domain access for Kafka topics within the Hermes Kafka cluster. Topics are assigned to ServiceNow domains via their namespace, and only users with appropriate domain visibility and access control lists (ACLs) can see or interact with those topics.

    Key Features

    • Domain-based segregation: Separates data at runtime, including user interface elements, cache keys, reporting, rollups, and aggregations.
    • Namespace assignment: Users with the kafkanamespaceadmin role assign namespaces to specific ServiceNow domains, ensuring all topics created in a namespace belong to that domain.
    • Domain-separated tables: Kafka Topics and Kafka Namespaces tables are domain-separated and protected by ACLs to restrict data visibility and access.
    • Global domain default: Topics created in the Default Namespace belong to the global domain.
    • Plugin requirement: Domain support features require the Domain Support - Domain Extensions Installer plugin to be activated.

    Practical Application

    This domain separation is crucial when service providers manage messaging for multiple tenants. For example, a service provider responding to tenant-customer messages can ensure that only the relevant tenant and authorized users see the communication, maintaining data privacy and security across tenants.

    Instance owners must configure domain separation appropriately for their multi-tenant use cases to benefit from segregated data access and administration.

    Domain separation is supported for the Hermes Messaging Service. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can control several aspects of this separation, including which users can see and access data.

    Support level: Basic

    • Business logic: Ensure that data goes into the proper domain for the application’s service provider use cases.
    • The application supports domain separation at run time. The domain separation includes separation from the user interface, cache keys, reporting, rollups, and aggregations.
    • The owner of the instance must set up the application to function across multiple tenants.

    Sample use case: When a service provider (SP) uses chat to respond to a tenant-customer’s message, the customer must be able to see the SP's response.

    For more information on support levels, see Application support for domain separation.

    Overview

    On a domain-separated instance, you can use namespaces to configure which domains can access specific topics in the Hermes Kafka cluster. You assign topics to ServiceNow domains using the topic record's namespace.

    How domain separation works with the Hermes Messaging Service

    On a domain-separated instance, a user with the kafka_namespace_admin role can assign namespaces to specific ServiceNow domains. When the Kafka namespace admin assigns a namespace to a particular domain, all the topics created in that namespace will have the same domain. Users can only see and interact with the topics and namespaces they have access to, based on domain visibility and access control lists (ACLs). Topics created with the Default Namespace are created in the global domain.

    Both the Kafka Topics [sys_kafka_topic] table and the Kafka Namespaces [sys_kafka_namespace] table are domain-separated tables. Domain separation rules filter which records are available in each domain. In addition to being domain-separated, these tables can also be protected with ACLs, just like any other table.

    All domain support features require the Domain Support - Domain Extensions Installer (com.glide.domain.msp_extensions.installer) plugin.