Domain scope

Domain scope defines what users can and cannot have access to.

Every user has two domain scopes when establishing a session in a domain separated instance.

  • Session scope is set upon session establishment to the domain listed in the user's user record. Users can manually change their session domain scope from the domain picker.
  • Record scope uses the domain of the record and is active when viewing the form of any record.

By default, the record scope takes precedence over the session scope so that fulfillers in higher level domains adhere to each record's data and process constraints. However, these fulfillers can choose to expand or collapse the domain scope to show or hide data from other domains. For example, a user in the MSP domain also has visibility into child domains such as the ACME domain. When looking at an incident record from the ACME domain, the user can choose to expand the domain scope to show values from the MSP domain or collapse the domain scope to only show record values that match the record's ACME domain.

Note: Users always have access to data from domains that have been explicitly granted to them by domain visibility.

Users with the domain_expand_scope user role can select the domain scope from the Toggle Domain Scope UI action on the form. When record scope is in effect, click the UI action to expand to session scope and display all data available based to the user's domain and child domains. When session scope is in effect, click the UI action to collapse to record scope and display only data that matches the current record's domain.

Note: A record will not display the UI action to toggle the domain scope if the record is in the global domain or if the user's domain matches the record's domain.