Domain Separated User and Group Roles

raprohaska
Kilo Guru

‎11-17-2016 08:34 AM

We have a need to assign different roles to a user depending on the domain of the record. So User1 may have ITIL access in Domain1, but they have zero access in Domain2.

Upon reading Re: Domain separation and Child roles , I had some hope that we could use the domain separated nature of the User/Group Roles table, but:

  • There is   BR that always sets the user role domain to the users domain.
  • Roles inherited via group or "contains role" relationships get added to the user with a User Role domain of global.
  • I even deactivated the business rule so I could manually set the domain of the User Roles record. It seems that when ACLs are processed, it bypasses domain separation and pulls the role in no matter what.

Does anyone know of a way to leverage domain separation to drive different roles for a single user (or users within a group)?

Thanks for any help you can give,

AA

0 Helpfuls
  • 4,259 Views
8 REPLIES 8

Michael Fry1
Kilo Patron

‎11-17-2016 09:49 AM

Hey Aaron . . . in drawing below, Customer 1 domain cannot be selected from the   MSP domain, or TOP or Process domain. Only person(s) that can see Customer 1 is admins, in global OR users in Customer 1. Same holds true for Customer 2 domain. Does this help any?


Screen Shot 2016-11-17 at 12.44.50 PM.png


Preview file
145 KB

raprohaska
Kilo Guru
In response to Michael Fry1

‎11-17-2016 11:20 AM

That's not really how our business works. We have, what we call leveraged teams, so all FIS users could need access to any client domain at a given time. But each user may play different roles for each of the clients. So they need access to all the data from a domain separation perspective. But they may not need access (ACL) to specific functionality depending on what role they provide to the specific client. So, it would be nice to have user roles specific to the session domain or domain of the record, to drive proper functional access across multiple clients.



Example:
We could have a user that is a CMDB manager for a subset of our clients, yet be ITIL for all clients. If that makes any sense. Again, the point is that this person would need access to all domain data from an ITIL perspective, but they would only take on the role of CMDB manager in a subset of those domains. Thus far we have forced manual process to restrict   those features but we would prefer to strengthen the tool so that we limit human error.


0 Helpfuls

Atiyeh Tash
Tera Contributor
In response to raprohaska

‎01-12-2017 11:21 AM

Hi. I have the same issue with users and roles. one users which has no role in one domain1 should have ITIL role in domain2 (which is contained by domain 1).


Was wondering if you had figured out the issue and had a solution for this.



Thank you,


Atiyeh


0 Helpfuls

RASlat_01
Tera Contributor
In response to Michael Fry1

‎05-31-2023 07:40 AM

Hello
I just need some help, If we give someone admin access in any particular domain, that admin access not stopping him viewing user data at global level or creating users at global level

Is there any role which allow domain admin to only view data at their domain in domain separation

Regards
Rashid Latif

0 Helpfuls