Encryption Support provides the ability to encrypt data in an instance. The ability to
access encrypted data in a domain depends on a user's role and domain assignments. Domain
separation allows you to separate data, processes, and administrative tasks into logical groupings
called domains. You can then control several aspects of this separation, including which users can
see and access data.
Domain separation in this
application is supported at the Data only level, meaning it
supports the data security model of separating visibility of data from one domain to
another. To learn more, see Application support for domain
How domain separation works in Encryption Support
In Encryption Support, encryption configurations and keys are defined by an encryption
context. You assign an encryption context to a role or roles, and then assign roles to specific
users. Encryption contexts are user-specific, so when you restrict a user to specific domains,
the user can access encrypted data only in the domains to which that user has access.
Domain-specific forms and fields are supported. However, there are some restrictions:
- If an encrypted field appears on multiple forms, regardless of domain, the field is
encrypted on all forms in all domains.
- Level 1 domain separation is not supported because it would allow Managed Service Providers
(MSPs) to create and manage domain-specific encryption contexts and encryption keys across all
- Level 2 domain separation does not apply to encryption.
- Level 3 domain separation is not supported because it would allow domain administrators to
create and manage domain-specific encryption contexts and keys for their domain.