Domain Seperation | Managing the users on Global domain

vrnath
Tera Contributor

‎02-01-2016 01:57 AM

Hello All,

Appreciate your help on this.

Currently we are working on Domain separated instance. Where we are facing an issue with the users. Right now, we have a domain structure like this:

Global

|

Global/Company   (where Company we built all the blueprint and have access to all the data in global and all customer domains)

|

Global/Company/CustA && Global/Company/CustB

We are having the different support groups and users (Support people) are in Company. From there we already given access for users the visibility to see all the data in CustA & CustB (Eg: Reporting the incidents by the CustA & CustB can bee seen by the support group people based in Company). As we declared all the users in Company we dont want to create the users (support people) in Cust A and Cust B. We want to create some different groups for Cust A & Cus B and want to add these users (Support people) to that groups.

As we are using the AD and making the userID as email. So while to recreate the users also will be an issue with duplication.

The other thing we tried to make these users( support people) as global, but they are getting access to all the domains from the settings menu and as well as the data. (thought to write an access control on Domain table and only allow Admins with domain = global to be able to create/write and delete items on domain table. - is this one will work to not show the drop down of the domain menu in settings)

Thought to make the group as global but once the incident is created - change the domain to company and still the users is not populating.

How to make the users (support people) to be created under one domain and is there any way to utilize that users on other domains. As its a domain specific environment the records created in one domain cant be visible in other domain.

Please suggest me if you have any other alternative which i missed.

Thanks in advance!!

Raghu

0 Helpfuls
  • 4,900 Views
17 REPLIES 17

Michael Fry1
Kilo Patron

‎02-01-2016 07:21 AM

Here's a good explanation right from the wiki. You can avoid using domain picker if you use domain toggle.


2.4 Domain Scope

Every user has two domain scopes when establishing a session in a domain separated instance.


  • Session scope: is set upon session establishment to the domain listed in the user's user record. Users can manually change their session domain scope from the domain picker.
  • Record scope: uses the domain of the record and is active when viewing the form of any record.

By default, the record scope takes precedence over the session scope so that fulfillers in higher level domains adhere to each record's data and process constraints. However, these fulfillers can choose to expand or collapse the domain scope to show or hide data from other domains. For example, a user in the MSP domain also has visibility into child domains such as the ACME domain. When looking at an incident record from the ACME domain, the user can choose to expand the domain scope to show values from the MSP domain or collapse the domain scope to only show record values that match the record's ACME domain.


Note


 Note: Users always have access to data from domains that have been explicitly granted to them by domain visibility.


Users with the domain_expand_scope user role can select the domain scope from the Toggle Domain Scope UI action on the form. When record scope is in effect, click the UI action to expand to session scope and display all data available based to the user's domain and child domains. When session scope is in effect, click the UI action to collapse to record scope and display only data that matches the current record's domain.


Note


 Note: A record will not display the UI action to toggle the domain scope if the record is in the global domain or if the user's domain matches the record's domain.


The option to select the domain scope is available starting with the Fuji release.


0 Helpfuls

vrnath
Tera Contributor
In response to Michael Fry1

‎02-01-2016 10:03 AM

Hi Charlie,



Many thanks for your valuable response,



Already went through this in Wiki, But here our situation is a bit different. Coming to wiki when the user under the top domain they can able to see the child domian recorrds by   - granting the visibility domain of the child under the parent so that he can change the domain scope and cna view the records. In our situation we already done that one so all the support people who has to support the CustA and CustB already got the visibility access to these child domains. As they can see and update the records also.And once they want to create some record they will choose the specific child domain under the settings and they are entering the record under the CustA & CustB.



But as the Support people team is very less and for all the CustA and CustB, the same people is getting the tickets here. So under the CustA the groups names will be different but the support people remain same. So as the support people are based in Company (parent domain). And the groups we are creating are under CustA domain(child domain) so we want to populate the users under the custA (child domain).



We tried it making the users global - but its giving adverse affects that users (support people) are getting visibility to the global and company domains also.


So we tried making the group global and added some people under it who belongs to the parent domain support people - but once the record is created under child domain - then we changed the domain to Company (parent domain) still we are not able to see the users as the record its generated under the child domain its not populating the users which we added from parent domain.



We are now trying to find a way - how can we create the support people group under parent domain and then get them under the child domain groups


eg: Mr A (user in parent domain) is support person for Company (Parent domain) in group windows (windows group also in parent domain).


wants to get Mr A under the Child Domain Cust A for Cust A windows Group(Group is in child domain) but Mr A user record is in Parent domain.



Will wait for your reply



Thanks


Raghu


0 Helpfuls

Michael Fry1
Kilo Patron
In response to vrnath

‎02-01-2016 10:18 AM

Your Company (parent) domain is MSP type. Your groups and users are also in that domain. When you open ticket for CustA, the domain automatically changes and you are in CustA domain but can't see users in parent domain. You have to have the role domain expand scope, which gives you access to UI action. When in the CustA domain, you can right-click to Toggle domain scope which makes   so you can see your domain (parent) and CustA domain at same time, thus allowing you set assigned to.


0 Helpfuls

vrnath
Tera Contributor
In response to Michael Fry1

‎02-01-2016 07:21 PM

Hi Micheal,



Thanks for the quick response,



Your Company (parent) domain is MSP type. Your groups and users are also in that domain. - Current situation



When you open ticket for CustA, the domain automatically changes and you are in CustA domain but can't see users in parent domain. - (its not automatically changing to custA) Currently, when we the support people wants to open a ticket for CustA they are manually changing the domain under the settings button. and then they are opening the ticket for the CustA.



You have to have the role domain expand scope, which gives you access to UI action. When in the CustA domain, you can right-click to Toggle domain scope which makes   so you can see your domain (parent) and CustA domain at same time, thus allowing you set assigned to. - Seen the toggle scope under the domain - but didnt get it - if possible Can you explain me in detail about this role domain expand scope & to see the parent and Cust A domain users on the CustA domain.



Will wait for your response.



thanks


Raghu


0 Helpfuls