What is Domain Separation in ServiceNow?

With IT estates relying on multiple providers and mechanisms, the management of your IT is becoming increasingly complex – often spanning multiple environments. Domain Separation can offer a potential solution in ServiceNow, but is it the right choice for your organisation?

For some, a single ServiceNow instance with standard access controls is undoubtedly the simplest way to host and provide IT services across an organisation.

But what if your IT service desk needs to support multiple organisations? And what if you want to provide those organisations with access to shared services without the need for individual ServiceNow instances?

Well, that’s where Domain Separation comes in. Also known as the ServiceNow Sub-Tenant Platform Architecture (or just ‘Dom Sep’, for short), Domain Separation allows you to separate your instance into a hierarchy of segregated domains to manage different customers or organisations within one ServiceNow instance.

But whilst Domain Separation can be the ideal solution for certain use cases, it’s not necessarily the right answer for every organisation.

Given that configuring Domain Separation can have a considerable impact on the administration of your instance, it’s important to question whether it’s the right decision before heading down that road.

Let’s dive into the ins and outs of Domain Separation, exploring what it is, why you might use it and whether it’s right for your organisation.

How does Domain Separation work?

Imagine Domain Separation as separate rooms in a house. Each room has its own contents, and the people in one room can't access the contents of another room unless they have permission to do so. But each room draws on the resources of the house and is managed by the owner, aka, you.

In ServiceNow, a domain is like a virtual room. It's a way to separate data, configurations, and processes within the same ServiceNow instance.

Each domain (room) has its own set of records, business rules, UI pages, scripts, and users. Users assigned to one domain can't use data or functionality in another domain without specific approval.

Domain Separation is a useful option for companies that have multiple organisations or customers using the same ServiceNow instance. Meaning that each organisation or customer has their own isolated environment, whilst still sharing the same subscription services and administration teams.

This can help reduce the risk of data breaches, enforce data privacy and simplify compliance with regulations.

In a domain-separated environment, the owner of the ServiceNow instance is often known as the ‘Service Provider’ and organisations or customers that use it are known as ‘Tenants’, with each having their own domain.

Common use cases

There are some key scenarios where Domain Separation can be particularly useful:

• Controlling external fulfiller access: When external fulfiller users logging into the platform should only have access to specific records required to complete a task, such as an incident, request or change as a licensed ServiceNow user.
• Creating a multi-tenanted instance: A common example of this would be a Managed Service Provider having multiple customers on their instance, or an organisation wanting to separate certain strategic business units (SBUs) but keep them within a single instance.
• Increased data segregation: When customer data needs to be more securely separated than the CSM model allows. Though it’s important to note that the data isn’t physically separate, it’s still contained in one instance, merely logically separated by domain or customer account.

The pros of Domain Separation

Domain Separation can be a good option for organisations that:

• Need to segregate business processes and users across multiple organisations
• Need to keep data separate between customers or business entities
• Need some global reports and processes to be retained

Domain Separation offers different benefits for both the Service Provider and Tenants of an instance.

As a Service Provider or owner, you’ll benefit from:

• Volume licensing discounts
• Centralised administration of your tenants
• Data segregation between domains
• Global reporting across all tenants in your instance

As a Tenant, you’ll benefit from:

• Pre-built processes and capabilities
• Reduced staffing requirements
• Faster onboarding
• Shared instance costs
• Access to services offered by the service provider

All sounds great, right? But, before you get too excited by the potential benefits, it’s worth sparing a thought for why you might not want to do it as well.

The cons of Domain Separation

Whilst Domain Separation suits certain use cases, it also comes with a significant administrative burden and long-term consequences that need to be considered.

You should consider that:

• Data isn’t truly separate: All data remains within the instance, there’s just an additional layer of security that makes it available to those with the correct access. If you need it to be physically separate, you’ll need a different instance per customer/organisation or business unit.
• Admin control stays with the Service Provider: If the instance is multi-tenanted, admin access isn’t provisioned to the individual customers of domains. This can drastically ramp up the administration required from you as the service provider, as you’ll be the one having to make any changes or deal with any requests.
• Adding new services will be harder: The services or modules currently installed will be the only ones available. If you want to add new ones, they’ll need to be implemented at the instance level and then configured to work with your specific Domain Separation requirements.
• It can only be enabled in a new instance: That means a large amount of up-front configuration. And once it’s been set up, it’s there to stay. It can be disabled, but never removed.

The problem with Domain Separation is that it substantially increases the amount of work required to maintain a ServiceNow instance. Every new development, module or enhancement will need customising to work with the unique configuration of your instance rather than working ‘out of the box’.

You’ll also need to ensure that system performance and user productivity aren’t crippled by thousands of queries being triggered each time a user tries to access a domain. This requires advanced use case-related configuration to allow queries to execute in a way that reduces administration, user impact and performance issues.

This would need advanced ServiceNow technical knowledge that your internal IT team may not have, which means you’ll need the support of a dedicated ServiceNow partner to keep you up and running.

It’s also important to reiterate that whilst Domain Separation can be disabled in your instance, it can’t be removed – which will have a lasting impact on future changes and additions to your ServiceNow instance.

Is Domain Separation right for you?

We would recommend thoroughly examining whether Domain Separation is the right solution for you. There are plenty of alternatives that may achieve what you need without the additional admin headache of going full ‘Dom Sep’.

Alternative solutions could include:

• Before business rules
• Access controls
• Filters
• Security on related record
• Custom views
• Form layouts
• Notifications
• UI action conditions
• Advanced reference qualifiers
• Ticket-to-ticket eBonding to external systems

To assess whether Domain Separation is necessary, ask yourself the following questions. If the answer to any of them is ‘No’, then, chances are, a single instance and one of the alternatives above will suit your needs better:

1. Logical data separation: Can the data be logically separated instead of physically separating it?
2. Scale: Is the customer small enough to not require multiple nodes and/or dedicated hardware?
3. Platform requirements: Can the customer or business unit work with the products and services provided on a shared platform?
4. Process differences: Do the customer processes require less than five per cent of change from shared processes?
5. Administration requirements: Does the instance owner administer the instance with the customer only managing limited configuration?

Still unsure?

Domain Separation is no small endeavour. It can have massive ramifications on how you manage your instance and any customers or domains within it.

As we’ve outlined above, Domain Separation can be a good solution – but only in certain scenarios. For most organisations, your data security or access needs can likely be met in a different way.

But we know it’s not always clear which is the best way forward. If you’re still feeling unsure about whether Domain Separation is right for your organisation, please reach out to us and we’ll work with you and advise on a solution that best meets your needs.

Key takeaways

• Domain Separation can be a helpful way to segregate multiple customers or business units on a single instance but retain global control and reporting.
• It helps enforce a higher degree of access control and data protection if cross-organisation data needs to stay ‘need-to-know’.
• However, it can have long-lasting consequences to the level of admin and configuration required to maintain your instance, so choose carefully.
• There are several alternatives that should be explored before deciding. Seek support from ServiceNow or a trusted partner to find the best solution for your needs.