Encryption Support provides the ability to encrypt data in an instance. The ability to
access encrypted data in a domain depends on a user's role and domain assignments. Domain
separation enables you to separate data, processes, and administrative tasks into logical
groupings called domains. You can then control several aspects of this separation, including
which users can see and access data.
Support level: No support
- The domain field may exist on data tables, but there is no business logic to manage
data.
- This level is not considered domain-separated.
For more information, see Application support for domain
separation.
How domain separation works in Encryption Support
In Encryption Support, encryption configurations and keys are defined by an encryption
context. You assign an encryption context to a role or roles, and then assign roles to specific
users. Encryption contexts are user-specific, so when you restrict a user to specific domains,
the user can access encrypted data only in the domains to which that user has access.
Domain-specific forms and fields are supported. However, there are some restrictions:
- If an encrypted field appears on multiple forms, regardless of domain, the field is
encrypted on all forms in all domains.
- Basic domain separation is not supported because it would allow
service providers (SPs) to create and manage domain-specific encryption contexts and
encryption keys across all domains.
- Standard domain separation does not apply to encryption.
- Enhanced domain separation is not supported because it would allow
domain administrators to create and manage domain-specific encryption contexts and keys for
their domain.
