Security Domain Groups (formerly known as Domain Restrictions) are entities that determine in which security domains an administrator may perform permissions. For example, if the North-America Security Domain Group contains the North-Am, North-Am-Sales, and North-Am-HR security domains, administrators with roles with the North-America Security Domain Group applied can access entities that reside in North-Am, North-Am-Sales, and North-Am-HR security domains (plus the PUBLIC Security Domain which is automatically added to every security domain group).
If there are no security domain groups applied to permissions in an Administrator Role, the Administrator may perform all permissions in the role in all security domains.
Security domain groups can contain one or more security domains. The security domains do not need to be connected in the hierarchical structure, but there are patterns to how customers implement security domain groups:
- Family branch: An administrator is responsible for the entities within the Europe region, which includes access to the entities in the Europe Security Domain and its subdomains, Europe-Sales and Europe-HR.
- Sibling: An administrator is responsible for managing siblings within the same branch. For example, an administrator has access to the entities in Europe-Sales and Europe-HR, but not in the parent security domain (Europe).
- Parent-child: An administrator is responsible for a parent security domain and one or more child domains, but not the entire branch. For example, an administrator has access to entities in the Europe Security Domain and the Europe-HR Security Domain.
- Mix-and-match: Any security domains can be included in a security domain group, whether they are from different parts of the same security domain tree or even from different trees.