There are multiple approaches to separating data and process within ServiceNow. This article discusses how to choose the best option for your business requirements.
Many organizations want to separate data between different lines of business, departments, regions, or companies. Sometimes different areas of the business may even want to separate their processes, workflows, and user interfaces. ServiceNow offers the following data and process separation options from simplest to most complex.
- System Security
- Domain Separation
- Separate Instances of ServiceNow
- Legacy: Company Separation
Filters offer a very simple, flexible, and useful way to visually separate data by limiting the records a query returns. For example, the Incident > Open module uses a filter to display only the incidents where the Active field is set to true. Filters are available for every ServiceNow list.
Filters do not prevent users from seeing other data in the instance. Users who click the breadcrumbs at the top of the screen or issue a query with a different filtercan see the full data set. This is often the desired behavior since it allows users to quickly navigate to relevant data and grants them permission to see any data they like through filter customization.
System security allows you to determine what data users can access. Use contextual security rules to dictate access controls such as requiring only users with with the problem_manager role to see problem records. You can also use contextual security to dictate whether users can read, write, create, update, and delete records or fields.
Contextual security allows you to apply dynamic rules. For example, the user who creates a change request cannot be the user who approves the request. System security enforces role-based security settings.
Domain separation does two things:
- Separates data
- Separates administration (workflow, policy, and UI definition)
Domain separation is best for those organizations that want to:
- Enforce data separation between business entities.
- Customize business process definitions and user interfaces for each domain.
- Use a single instance of ServiceNow to maintain global processes and global reporting.
Domain separation is extremely well suited for managed service providers (MSPs) and global enterprises with unique business requirements in various areas of the world. Domain separation is incredibly powerful and flexible but requires ongoing discipline to ensure that new domains do not conflict with existing domains.
Separate Instances of ServiceNow
Providing separate instances for each business unit or entity creates completely unique environments with separate databases. Separate instances of ServiceNow provide each business entity the most configuration and customization flexibility.
This arrangement works well when:
- There is no commonality in business process definition between business units.
- There is no desire to share data or report globally across business units.
You can request additional instances from HI.
Legacy: Company Separation
When you activate the Company Separation plugin, users with a company value in their user record can only see data for their company and its child companies.
Company separation applies to any table that has a Company or u_company field. For example, the task table has a Company field, so a user in Company A can see only those tasks (such as incidents, change requests, and problems) that are assigned to Company A or Company A's hierarchical children.
To make company separation apply to a table that does not have a Company field by default, create a custom Company field on that table. Users who do not have a company value on their record in the User [sys_user] table are not restricted by company separation.
Company separation is best for organizations that want data separation but do not need the process or UI separation of a domain-separated implementation.