Tips for Domain Separating 'NON Out of Box Domain separated' Tables


Description

Background: 

With the activation of the Domain Separation plugin, the system by defaults activates Domain Separation on many platform tables.

Here is online documentation about this: 

Domain Separation

This is documented in the last 2 sections in the above link under 'Application support for domain separation' and 'Installed with Domain Separation sections'.

In addition, any custom table created on the instance or even many of the out-of-box tables can be customized and domain separated simply by adding the 'sys_domain' field to the table. 

However, there are some tables/applications that should never be Domain separated, while some other tables/applications were just adding the sys_domain field is not adequate to achieve domain separation and therefore domain separating such tables is not recommended by ServiceNow. 

This document attempts to detail this information. 


Deny listed tables for Domain Separation

The sys_security_restricted_list table stores potential deny list and allow listed entries for platform tables.

Domain Separation tables that are deny listed have the Type field set to 'deny list' and List context field set to 'non_domain_separable' as per screenshot below. 

Out of the box, when the Domain Separation plugin is activated, the system adds the above 5 tables as non_domain_separable: Security exclusive/inclusive list Entities, ACL, Dictionary, System Properties, and Script Includes. 


Domain Separation on Specific Out of Box Tables

CMDB:


CMDB Models


IP Services:


CI Relations:


Field Encryption (com.glide.encryption Plugin):

  

Operational Intelligence:


Fiscal Calendars: