An overview of domain separation in Cloud Management. With
domain separation you can separate data, processes, and administrative tasks into logical
groupings called domains. You can then control several aspects of this separation, including
which users can see and access data.
Support level: Basic
- There is business logic to ensure data goes into the proper domain for the
application’s service provider use cases.
- In the application, the user interface, cache keys, reporting, rollups, aggregations,
and so on, all consider domain at run time.
- The owner of the instance needs to be able to set up the application to function
normally across multiple tenants.
Use case: As a service provider when I use chat to respond to a tenant-customer’s
message, the client must be able to see my response.
Overview
Basic support targets tenant domain requester use cases in an
application. The application has been designed to support requester activities within tenant
domains. Logic is in place to route data to tenant domains, based on applicable use cases.
The owner of the instance must be able to set up the application to function normally across
multiple tenants. The application handles data routing to domains.
Every table Cloud Management is not domain separated and delegated domain
separation is not supported.
Domain separation for
Cloud Management is designed for:
-
Service Providers (SPs) using the application to provide data
separation. In this scenario, SPs can provide data separation to
multiple customers, where domains are necessary to contain all relevant customer data
and processes. For example, an SP providing support to customers who typically use Cloud Management to manage their IT infrastructure on the cloud. SPs can use a
single instance to manage cloud resources for multiple customers using a dedicated MID Server per customer. SPs can provide catalogs, template profiles,
Resource Pools & filter, Resource profiles, Quotas, Permissions, IP Address
Management (IPAM), Lease and Business hours scheduling, and a view to Billing, as
domain separated offerings to their customers.
How domain separation works in Cloud Management
Domain separation for Cloud Management aligns one or more companies to a domain.
To use domain separation with the application, assign all user accounts to a specific
company associated with that domain.
All entities that are related to the company, such as cloud accounts and service accounts,
are created in the same domain as the company. When a new company is created, create a
domain with a unique name and assign it to the company. All related entities for an account,
such as contacts and cases, must reside in the same domain. When you create a related entity
for a domain-separated account, the entity is assigned to the company domain.
Members of a domain can only view the data that is contained within their domain or child
domains that are lower in the domain hierarchy. By default, all users and all records are
members of the global domain unless you assign them to a particular domain. Once you assign
a user or a record to a domain, the instance compares the user's domain to the record's
domain to determine whether the user can view the record.
Service Providers (SPs) use domain separation to segregate data for each customer. Users in
a given domain can only view the data in their own domains or in child domains. SPs
typically control the top-level domain, which allows them to view data that is associated
with all domains. Don't delegate administration to cloud admin users of the child domains in
Cloud Management.
Set up domain separation for Cloud Management
- Ensure that you activate the following plugins:
- Domain Support - Domain Extensions Installer plugin
(com.glide.domain.msp_extensions.installer) to enable domain separation in Cloud Management
- Service Catalog - Domain Separation plugin (glideapp.servicecatalog.domain_separation)
to enable separation of catalog items in different domains in Cloud Management
Changes to Cloud Management tables
Domain separation for Cloud Management adds the
Domain and Domain Path fields to the list
views. These fields are not exposed by default. As a domain admin you can customize lists
and forms to view these fields. Not all tables in Cloud Management are domain
separated. While some top-level tables are domain separated, several child tables are not
domain separated. However, this does not impact how the Cloud Management
application works in a domain-separated context.
Account domains and related entities
When you create related entities for an
account, the domain for the related entities is set to the account domain.
Domain visibility for cloud administrators and users
Manually assign users with the Cloud User Portal (sn_cmp.cloud_service_user) roles and
Cloud Admin Portal (sn_cmp.cmp_root_admin) roles for each domain to the
TOP/MSP/Default/Company
or leaf domain. Domain administrators and users in Cloud Management can only view
data in the domain that they are created in, until they are assigned to the TOP domain. The
Top domain represents a single common parent domain, which acts as a single parent node, for
the Service Provider domains.
Next Steps
For more information on creating, implementing, and maintaining domain separation for Cloud Management services in the instance you are setting up for your customers, see
Domain separation in Cloud Management - considerations for service providers.
