Frequently Asked Questions

How does Simple Data Separation compare with Domain Separation?

Simple Data Separation is the ideal solution for robust data segregation & on-demand access provisioning. Domain Separation is for situations requiring both data & process segregation, such as complex MSP environments. Check out the links below for additional information:

• Competitive Matrix

• Simple Data Separation v Domain Separation

Is there a strong business case for using Simple Data Separation?

Yes! Check out the link below for analysis on the expected return on investment for Simple Data Separation:

• Simple Data Separation ROI

What types of tables will Simple Data Separation work with?

Simple Data Separation is compatible with all types of tables in ServiceNow. This includes global tables, scoped tables, and custom tables you create.

How will Simple Data Separation affect the performance of my ServiceNow instance?

Simple Data Separation is very performant relative to other methods of data segregation. In many cases, using Simple Data Separation can improve your data access speeds, due to the fact that a well-crafted query will reduce the amount of data returned from the database. For many tables, this will improve performance.

Compared to ACLs, Simple Data Separation only runs once per query, whereas ACLs run for every row returned. This generally makes Simple Data Separation much more efficient than ACLs

While Domain Separation will be efficient for most queries, it nevertheless adds an additional layer of processing onto your ServiceNow instance. For this reason, Domain Separation is a less efficient overall solution for simple data segregation when compared to Simple Data Separation.

Simple Data Separation includes tools for testing & troubleshooting performance. See more at Performance Testing.

How can I determine if a Separation Rule is affecting access for a specific user & record?

Simple Data Separation is additive, meaning that it works alongside any ACLs, Domain Separation, or other security mechanisms you have in place. To determine if Simple Data Separation is brokering access for a specific user/record, follow our method outlined in Functional Testing.

How will Simple Data Separation affect my existing ACLs, Domain Separation and User Criteria?

Simple Data Separation is additive to any existing security and will not disable or override ACLs, Domain Separation or User Criteria that is currently in use. Many customers choose to disable other forms of data separation in favor of Simple Data Separation, but that is a separate manual process.

Does Simple Data Separation work with Database Views?

Yes! You can build Separation Rules on Database View tables just the same as you would on a normal ServiceNow table.

Can I create multiple Separation Rules for the same table?

No, Simple Data Separation will not allow multiple rules for the same table. When combining multiple Separation Rules, the results can be unpredictable. For this reason, we enforce a single rule per table.

If conflicts are detected due to Cascade rule behavior between rules on parent/child tables, a warning will be displayed guiding you to adjust Cascade exceptions appropriately to eliminate the conflict.

I've made changes to a Defined Relationship, but when I test it the results are always the same. What's wrong?

If session caching is enabled in General Settings, changes to Defined Relationships won't be represented in a user session until that user logs out and logs in again. When developing & testing Defined Relationships, it is recommended to disable session caching to avoid this inconvenience.

I have a Separation Rule on Department/Location/Company, but when I change those values on my test user, the results are always the same. What's wrong?

Due to session caching, changes to user department, location, or company values won't be represented in a user session until that user logs out and logs in again. When developing rules, ensure you logout and login again in order to reset the user session.

How do you recommend deploying Separation Rules between dev/test/production instances?

Separation Rules are captured in update sets. We recommend developing Separation Rules within an update set and using that update set to move configuration between instances, the same as typical ServiceNow development.

We do have customers who will update Separation Rules directly within their production instance. This can provide additional agility in environments where frequent changes to data segregation policies is needed, but we do not recommend this for most customers.

Can I roll back a Separation Rule to a previous version?

Yes! Separation Rules are versioned the same as most other configuration records in ServiceNow. If you need to roll back a Separation Rule to a prior version, simply use the Versions related list on the Separation Rule form to find your desired version and revert.

How do I ensure my task list view is protected?

If an extended table is protected by a Separation Rule, but the parent table is not, then a user may still to navigate to a list view of the parent table and see some data from the extended table records. In this case, only the data visible from the parent list view will be shown. If the user tries to click into the extended table record, the Separation Rule will take effect in and forbid the form view.

For example, if a Separation Rule exists on incident, but a user navigates directly to a list view of task, they may be able to see whatever fields are exposed at the task level. If they attempt to click into the incident from the list, that will trigger a query against the incident table and forbid them to see the form view.

To protect against any unintended data visibility, we recommend protecting the parent table with a Separation Rule. Simple Data Separation will warn of any possible misconfiguration. More detail is available at Parent/Child Table Security.