Domain scope defines what users can and cannot have access to.
Every user has two domain scopes when establishing a session in a domain separated
- Session scope is set upon session establishment to the domain listed in the
user's user record. Users can manually change their session domain scope from the domain
- Record scope uses the domain of the record and is active when viewing the
form of any record.
By default, the record scope takes precedence over the session scope so that fulfillers in
higher level domains adhere to each record's data and process constraints. However, these
fulfillers can choose to expand or collapse the domain scope to show or hide data
from other domains. For example, a user in the MSP domain also has visibility into child domains
such as the ACME domain. When looking at an incident record from the ACME domain, the user can
choose to expand the domain scope to show values from the MSP domain or collapse the domain scope
to only show record values that match the record's ACME domain.
Note: Users always have access to data from domains that have been explicitly granted to them by
Users with the domain_expand_scope user role can select the domain scope from the
Toggle Domain Scope UI action on the form. When record scope is in
effect, click the UI action to expand to session scope and display all data available based to
the user's domain and child domains. When session scope is in effect, click the UI action to
collapse to record scope and display only data that matches the current record's domain.
Note: A record will not display the UI action to toggle the domain scope if the record is in the
global domain or if the user's domain matches the record's domain.