Domain

MSP – Domain Separation in Service now

 

1. MSP –Managed Service Providers
2. It is a paid plugin, user needs a Maint Role to activate the plugin in your instance.
3. It is a logically defined entity used to
4. Separate Data
5. Separate Process
6. Administrative Tasks
7. MSP deals with which user can see and access what data
8. By structure Service now has a Single Tenant Architecture but by using MSP plugin it can be used as Multi-Tenant Architecture
9. Multi-Tenant: It is a structure of application where single instance of the application serves multiple customers by sharing the application properties and a single database.
10. Service now with MSP Plugin:
11. Service now with MSP Plugin acts as a Multi-Tenant architecture where single instance serves multiple customers using single database.
12. Each customer data is isolated and remains invisible to other customers.
13. When we should not go with MSP Plugins-
14. In case of total separation of all system properties
15. Does not require the global reporting
16. Does not require a single global processes
17. Actions items after enabling the MSP Plugin
18. In UI 15

We need to enable following UI Macros

1. domain_select – Domain Picker
2. domain_reference_picker – Domain reference Picker
3. In UI 16

In UI 16 by default users with ITIL role can access the domain picker. You can give an access by adding other roles or restrict by removing roles from system property i.e.  “glide.ui.domain_picker.role”

1. Domain Picker (By default)
2. Domain Reference Picker (glide.ui.domain_reference_picker.enabled)

 

Domain Structure Creation

After activating MSP plugin, we can see the Domain Admin application menu in Nevigation.

Domain AdminàDomains   :List of Domain, you can create a new domain from the list view

Domain Adminà Domain Map  : can see the Domain structure with Parent and child relationship

Domain AdminàDomain Configuration : you can the configuration related MSP Plugin like

1. Tables with sys_domain field
2. Domain Settings
3. Domain Validation
4. Domain Table
5. You can change the Domain table itself.

 

To create a new Domain Structure, go to Domain AdminàDomainsàNew UI Action

Domain form—

Name – Name of the domain (should be unique)

Type – Meta data about domain like whether you have created a Domain for customer or vendor

Parent – It is a reference field of Domain table, where we can specify a parent domain

Primary – if you want to specify the root domain, then you need to select the primary check box true. Primary domain does not have the Parent domain.

Description – Just a meta deta for the Domain

Active – Only active Domain will be in use.

Default – We can select one domain as a Default domain for an instance. If you are not able to see this field on the domain, you can add through form layout. Whenever system is not able to decide the domain while creating a record, system will consider domain as this default domain.

 

 

Note: Toggle Domain , if you are not able  to select any domain as a parent, please check the toggle option which is on the form as a UI Action or the option in form context menu.

 

 

Let’s create a new Domain structure as like below

 

 

 

 

 

 

 

Create new Record for every domain

1. Root Parent – While creating a record (name=Root Parent), set domain as a Primary domain by checking the primary check box true(Primary domain should not have a Parent domain as well as we will consider as a Top domain)
   1. 
2. Parent – While creating a record (name=Parent), select “Root Parent” as a parent domain.
   1. 
3. Planning, Developing, Testing – While creating a record (name=Planning,Developing and Testing), select “Parent” as a parent domain.
   1. 
4. Review-Default – While creating a record (name=Review-Default), select “Parent” as a parent domain and check the Default check box true.
   1. 
5. Pre-Plan, Post-Plan – While creating a record (name=Pre-Plan and Post-Plan), select “Planning” as a parent domain.
   1. 
6. Resource – While creating a record (name=Resource), select “Post-Plan” as a parent domain.
   1. 

 

 

Then navigate to Domain Adminàdomain Map

 

 

 

We can achieve the domain separation by using following components without domain plugin

1. Before Business rules
2. Access Control List Rules
3. Custom Views
4. Filters
5. Form Layouts
6. Notifications
7. UI Actions with condition
8. Advance Reference qualifiers
9. Security on related records

System will not support the following tables  from being domain Separated

1. Access Control [sys_security_acl]
2. Script Includes [sys_script_include]
3. System Property [sys_properties]
4. Security Black/White list entities [sys_security_restricted_list]
5. Dictionary Entry [sys_dictionary]
6. Dictionary Entry Override [sys_dictionary_override]

 

 

 

Sys_domain field:

If you go to dictionary entry table, we can see the sys_domain reference field in all system tables like sys_user, sys_script etc. before the MSP plugin enabled.

If you try to access from any one of record, it has a value global but when you will try to access, it will show you the MSG “Record not Found”.

MSP Plugin adds a domain field to TASK and CONFIGURATION ITEMS tables and their child tables.

You can extend domain separation to any new tables by adding a sys_domain field to that table.

“Regarding Scoped app which we need to run in MSP enabled instance and non MSP enabled instance”

Same like above if we can create a field “sys_domain” in customer tables, It will work as system tables like “sys_user” in non MSP enabled plugin and if you install this app with this custom table, it will be with data separation in MSP enabled plugin.

So Scope app developers needs to add sys_domain field in their custom tables so if the app installed in MSP enabled, then it will work with the data separation and if you install in without MSP enabled then it will take a value as global and nothing functionality will change as the same case with sys_user table which is in non MSP enabled instance.

 

We have following domains which has some special meanings.

1. global Domain:
   1. All the records which we have before enabling the MSP plugin, are part of global domain.
   2. Guest user is a part of global.
2. Default Domain:
   1. We can set any domain as a default domain but only one can be a default domain.
   2. If you set default domain in an instance, instance will replace the global domain with default domain whenever the record creation happen.
3. Primary Domain:
   1. Only the domain which does not have parent can be set as primary domain.

 

How to create records in domain:

1. Please verify first which domain you have selected in domain picker.
   1. Domain picker is in Setting(right upper corner)àgeneral section at bottom
2. Please selected the Root Parent domain in domain picker
3. Open new company record and verify the domain field values on company form
4. You can see the same domain which you have selected in domain picket.
5. To test one more time change the domain from domain picker and reload the empty company new form
6. Create a company with domain Root Parent name as root Parent company(Here you can get the domain path from primary domain like for Parent domain the Domain field will show Root Parent/Parent)
   1. 
8. Likewise please create new companies for every domain which we have created previously by first selecting Domain from domain picker and then create a company record.(Please make sure you have check the check box of customer, Manufacturer and vendor as we have some script where only the companies which are with these check box true only can select in incident or problem or change form)
9. Now the structure is like fallows (Please check the list view from Global domain)
   1. 

 

Domain Code:

If you see the list view of Domain list , you can see for every domain there will be Domain code like in above example we have Domain=Root Parent with Domain code=!!#

 

 

 

Domain Path:

Domain path is depends on the domain hierarchy. It will consider the domain hierarchy from primary domain. Here we have Root Domain as a Primary Domain.

Root Domain-                    Code= !!#                            _                            path=!!#/

Parent Domain-                Code=!!!                              –                            path=!!#/!!!/

 

Assigning Users to Domain:

• Based on Company record domain:
  1. MSP automatically assigns a domain based on the users company record.
  2. MSP uses a company record to set the domain for any user assigned to the company users inherit the domain of the company they belongs to.
  3. When we change the company domain, the instance system automatically changes the domain of following records to match the company’s new domain.
     1. User
     2. Location
     3. Department
     4. groups

• Based on a default domain:
  1. When system is not able to decide the domain for any record , it will assignee the default domain to that user.
  2. Only one domain should set as default domain for one instance.
  3. In absence of default domain, system will use global domain as a default domain but default domain records can be accessible by default domain users only unlike global domain records can be accessible by any domain users.
• Managed Domain:
  1. We have a check box on sys_user table where we can forcefully specify the users domain, if you check that check box, you will get one more field on sys_user table form to select domain.
  2. The instance does not automatically change the domain of any record where you have selected the Managed domain check box.
  3. With the help of this we can manually manage what domain a given record belongs to
  4. Admin can select manually a domain other than the domain assigned automatically from the company record.
  5. The managed domain field is available on following records
     1. User
     2. Group
     3. Department
     4. CI
     5. Location
  6. The instance does not automatically change the domain of any record where you have selected the managed domain checkbox.

Assigning Records to Domain:

1. Assigning users record to companies: Admin can assign user record to a domain by assigning them to company.
2. Using Business Rule to assign domains: Admin can use a business rule to automatically set a domain value when creating a record.
3. Using Module to assign Domains: Admin can use sysparam_domin URL parameter to automatically assign new record to a particular domain from a module.
4. Using form Template to assign domains: Admin can use a form template to automatically assign new records to a particular domain.
5. Domain inheritance on table: Records inherit the domain of the parent record like a problem record inherits the domain of the parent incident record.
6. Automatic domain assignment based on user domain: If no other domain conditions apply, a record automatically inherits the domain of the user who creates it.

 

 

Domain Scope:

 

Domain scope defines what users can(data) and cannot access(data) and how(Process).

1. Session Scope Domain
2. Record Scope Domain
3. Session Scope Domain:
   1. User Domain
   2. User domain Picker Domain

Session domain of users is nothing but the user record domain if we have the user domain and the domain picket domain is the same in case of not, session domain is the same like the domain which use has selected from domain picker.

 

Users from parent domain they can change their session domain by changing from Domain picker.

 

2. Record Scope Domain:
   1. It is nothing but the domain of that targeted record.

By Default the record scope take precedence over the session scope

 

Granting Domain:

1. Contains Domain
2. Visibility Domain

 

1. Contains Domain:
   1. A contains domain lets you relate domains on an as needed basic, independent of parent child relationships.
   2. However contains domains only grant visibility to domain data, process remain unaffected by contains relationships.
   3. While creating a contains relationship, user need to use the Toggle Domain option from UI action from form or the ui form context menu option.
2. Visibility Domain:
   1. Add visibility domain to allow user or group to see and edit records from another domain regardless of the user or groups normal domain membership.
   2. A visibility domain is a related list on the user records that determines whether users from one domain can access records from another domain.
   3. User can inherit visibility domains based on their group membership.
   4. By default, when a user in the global domain views a table containing a sys_overrides column, the user sees records from only the global domain.

Practical examples:

 

Please create following examples.

First Practical

1. Create a new custom table test i.e. name =u_test
2. Create fields, first name, last name , address with string type and one more field Domain with name= sys_domain and type =Domain id.
3. Create new users in every company record so the users will get the domain according to company
4. Please assign ITIL role to every user
5. Create new records in u_test table by impersonating every user.
6. While creating the records you can see the domain separation in u_test table where if you impersonate user who is in Planning domain, he can see all the records of sub domains of Planning but not from Developing, Testing and Review-default
7. Impersonate as admin and try to change the domain from domain picker and check the list of records in u_test table list view, admin can see the difference in list view when he will select the domain “Resource ” and then”Planning”