Domain visibility

Domain visibility determines whether users from one domain can access records from another domain.

For example, if Don Goodliffe is in the Database domain, and Bow Ruggeri is in the Network domain, and no incidents are in the global domain, then Don Goodliffe cannot access Bow Ruggeri's incidents since data separation prevents this.

Note: While visibility is one method to allow users to access records, it is recommended that you use Contains for more robust control.
Figure 1. A sample set of domain separated incident records
Figure 2. Bow Ruggeri's incident list
Figure 3. Don Goodliffe's incident list

You can add the Database domain as a Visibility Domain to the Bow Ruggeri's user record (Visibility Domains is a related list on the user record). Then, Bow Ruggeri can access Don Goodliffe's incidents since he now has visibility to the Database domain. If you remove the visibility domain, then Bow Ruggeri can no longer access incidents in the Database domain.

Figure 4. Bow Ruggeri's incident list with visibility domain
Note: Granting users a visibility domain grants them all the rights they would normally have to the record based on ACL rule permissions.

Users can also inherit visibility domains based on their group membership if you set the domain table to the Group [sys_user_group] table. For example, as a member of the Database group, Don Goodliffe also automatically gains the Database domain as a visibility domain. Group membership grants visibility to any matching domain name.

Figure 5. Visibility domains granted by group membership

Contains domains

Normally parent-child relationships define the domain hierarchy. A Contains domain allows you to relate domains on an as-needed basis, independent of parent-child relationships.

However, contains domains only grant visibility to domain data. Processes remain unaffected by contains relationships.

Note: Visibility controls what a particular user can see, while Contains controls what an entire domain of users can see.

Contains domains versus visibility domains

Contains domains and visibility domains differ in several respects.

A contains domain:
  • Is a many-to-many, domain-to-domain relationship.
  • Is hierarchical. When a domain is selected, you can see the data from that domain and its children.
  • Is controlled by the selection in the domain picker.
A visibility domain:
  • Is a user-to-domain relationship and is explicitly granted.
  • Is not hierarchical.
  • Is not controlled by the selection in the domain picker. Once the user is granted access to a visibility domain, they always see data in that domain and its children.

For example, there is a user who has access to domain A (the user's home domain) and is granted visibility to domains B and C. The user selects domain A in the domain picker. In this case, the user has access to domains A, B, and C. If the user changes the domain picker to domain B, B and C are visible. C is still visible because the user still has visibility to it. A is not visible, because it is not selected in the domain picker and it is not a visibility domain.

Using visibility domains excessively is not recommended.