Skip to main content
Skip table of contents

View domain

Large organizations tend to have complex internal structures with subsidiaries in various countries and regions. To add to the complexity, they are divided into numerous departments supported by different IT teams. Whether it’s for legal, compliance or security reasons, IT teams benefit from having a defined scope of visibility into the data of devices and related events.

View domain provides a way to define such a scope in the profile of a Nexthink user.

The View domain feature:

  • Enforces compliance rules so that access to data is on a need-to-know basis.

  • Enhances security by limiting IT teams from taking action on devices they are not responsible for.

Configuration

Defining Organization

Before defining View domain in a profile, you must define the relationship between devices and the organizational structure. Devices must be associated with an entity using rules defined in the Organization feature of the Product configuration. Refer to the Product configuration documentation for more information.

The system does not tag events with an entity unless the Organization is configured.

Configuration of the Organization
  • Name: The name of the organization in a given region or country.

  • Description: The description is based on the Collector string tag.

Configuring View domain

To configure View domain:

  • Select Administration from the main menu.

  • Click on Profiles in the Account Management section of the navigation panel.

  • Scroll down to the View domain section and choose one of the following options:

    • Full access: The profile has access to all devices.

    • Limited access: The profile can access a limited scope of devices based on entities.

View domain options on the Profile page

If you choose limited access for the profile, list entities the profile can access. A profile with limited access only has access to devices and their related events that are tagged with specific entities.

View domain diagram


Using View domain

Objects and events

The system enforces View domain on the following objects and events:

Devices

When querying the devices object, the system uses the entity of the device to enforce View domain. Retrieve the entity of a device using the Organization.Entity field. Note that it is also visible in the legacy Entity field.

Users

When querying the users object, the system uses the entity of devices on which the user was reported, for example, a session event or an execution event linked to the user. Profiles must have access to the entity of at least one device associated with the user to report them.

All events

dex.scores are only visible to profiles with full access to View domain.

Retrieve the entity using the context.organization.entity field, which shows the entity of the device at the time of the event. Keep the following in mind:

  • When the entity of a device changes, the entity of events that were triggered before the change remains the same. Profiles with a limited View domain access that were assigned only to the old entity will not see events associated with the new entity of the device.

  • When you query events, the system uses the entity of the event to enforce View domain.

  • When you query devices and events in the same query, the user has access to the device's entity and the event's entity, for example:

CODE
device_performance.system_crashes during past 7d 
| list number_of_system_crashes, context.organization.entity 

Some events might not have an entity because they cannot be linked to a device. These can include certain alerts or collaboration events. In this case, they are only visible to profiles with full access to View domain.

All inventory objects linked to a device

When querying inventory objects such as device.antiviruses, device.cpus, device.disks , and similar objects, the system uses the entity of the device to enforce View domain.

Users with profiles that have limited access to View domain can list all binaries and packages. However, they cannot perform drill-downs on these objects to retrieve information about devices and events that are not part of their View domain.

Product modules

View domain applies to the following modules:

  • Investigations

  • Live Dashboards

  • Device View

  • Amplify

  • Campaigns
    Users with limited access to View domain:

    • Cannot manage campaigns.

    • Cannot view dashboards.

  • Remote Actions
    Users with limited access to View domain:

    • Can only trigger executions of remote actions manually.

    • Cannot manage remote actions.

    • Don’t have access to the Remote actions overview page and individual remote action dashboards.

  • Collaboration Tools:

    • Users with limited access to View domain can only see sessions on a device with installed Collector (Windows or macOS).

When you apply View domain to a profile, the system removes access to some modules at the permission level. The following modules are available to profiles with full View domain access:

  • Alerts

  • Application Experience

  • Diagnostics

  • Digital Experience

A profile with limited View domain access can still retrieve data linked to the above modules using, for example, alert.alerts or campaign.responses in Investigations or Live Dashboards where the View domain is correctly enforced.

List of rights that are associated with profiles that have full access to View domain:

Feature

Feature permission

Content permission (sharing)

Alerts

View all alerts

View

Alerts

Manage all alerts

Edit

Applications

View all applications

-

Applications

Manage all applications

-

Custom Fields

Manage all custom fields

-

Campaigns

Manage all campaigns

Edit

Campaigns

View all campaigns

View

Workflows

Manage all workflows

Edit

Workflows

Execute all workflows

Execute

Digital Experience

Manage Digital Experience Score

-

Digital Experience

View Digital Experience dashboard

-

Data Export

Administrator rights

-

Diagnostics

View Diagnostics dashboards

-

NQL

Manage all NQL API queries

-

Remote Actions

Manage all remote actions

Edit

Remote Actions

View all remote action dashboards

View

Webhooks

Administrator rights

-

Inbound Connectors

(except for Collaboration Tools - Microsoft Teams and Zoom)

Administrator rights

-


RELATED TOPICS:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.