# View domain Large organizations tend to have complex internal structures with subsidiaries in various countries and regions. To add to the complexity, they are divided into numerous departments supported by different IT teams. Whether it’s for legal, compliance or security reasons, IT teams benefit from having a defined scope of visibility into the data of devices and related events. View domain provides a way to define such a scope in the role of a Nexthink user. The View domain feature: * Enforces compliance rules so that access to data is on a need-to-know basis. * Enhances security by preventing IT teams from performing actions on devices outside their responsibility. ## Configuration ### Defining Organization Before defining View domain in a role, define the relationship between devices and the organizational structure. You must associate devices with an entity and optionally with one or several custom classifications using rules defined in the **Device organization** feature of the **Product configuration**. Refer to the [Product configuration](https://docs.nexthink.com/platform/user-guide/administration/system-configuration/product-configuration) documentation for more information. {% hint style="info" %} The system does not tag events with an entity or custom classification unless the Organization is configured. {% endhint %} ### Configuring View domain To configure View domain: * Select **Administration** from the main menu. * Click on **Roles** in the Account Management section of the navigation panel. * Scroll down to the **View domain** section and choose one of the following options: * **Full access**: The role has access to all devices. * **Limited access**: The role can access a limited scope of devices based on the selected organization level. ### **Limited access** When you select **Limited access**, you can specify the organizational levels and their corresponding scopes. Each scope determines which subset of devices users in the role can view. Select the **Organization level** from the drop-down menu to define View domain. The available options are: * **Entity**: select to enable adding only entities. * **Custom classification**: select to enable adding only the possible custom classification values associated with the selected custom classification. (You can add any custom classifications defined in the custom classification ruleset). {% hint style="info" %} Over time, you can delete custom classifications, custom classification values and entities. Roles that already exist may still point to deleted items. If this is the case, you cannot save the role. {% endhint %} You can now define View domain scopes that combine multiple organization dimensions in main roles.\ This lets you match access scopes to how your organization actually operates, for example, by combining visibility by **Region**, **Entity**, or **Department** in the same role. For example, if you have the following **Limited access** with these two scopes: * **Region:** Europe * **Department:** Finance This means your access includes all devices in Europe and all devices in Finance. It doesn’t limit visibility to Finance devices within Europe only.

If you choose limited access for the role, list a scope of devices the role can access. A role with limited access has access only to devices and their related events tagged with specific entities or custom classifications.

### **Entities and custom classifications** * The optional tagging of devices with custom classifications relies on the **Organization** ruleset file. * Each custom classification value is invariably associated with at least one entity. For example, in the following table, **Switzerland** and **Europe** are associated with **Lausanne** and **Zurich**. * An entity cannot have multiple associations with values of the same custom classification. For example, it would be incorrect for **Lausanne** to be associated with both **Europe** and **North America**. | Entity | Custom classification - Country | Custom classification - Region | | -------- | ------------------------------- | ------------------------------ | | Lausanne | Switzerland | Europe | | Zurich | Switzerland | Europe | | New York | United States | North America | ## Using View domain ### Objects and events The system enforces View domain on the following objects and events: #### **Devices** When querying the `devices` object, the system uses the entity of the device to enforce View domain. Retrieve the entity of a device using the `Organization.Entity` field. Note that it is also visible in the legacy `Entity` field. #### **Users** When querying the `users` object, the system uses the entity of devices on which the user was reported, for example, a session event or an execution event linked to the user. Roles must have access to the entity of at least one device associated with the user to report them. #### **All events** {% hint style="info" %} `dex.scores` are only visible to roles with full access to View domain. {% endhint %} Retrieve the entity using the `context.organization.entity` field, which shows the entity of the device at the time of the event. Keep the following in mind: * When the entity of a device changes, the entity of events that were triggered before the change remains the same. Roles with limited View domain access that were assigned only to the old entity will not see events associated with the new entity of the device. * When you query `events`, the system uses the entity of the event to enforce View domain. * When you query `devices` and `events` in the same query, the user has access to the device's entity and the event's entity, for example: {% code lineNumbers="true" %} ``` device_performance.system_crashes during past 7d | list number_of_system_crashes, context.organization.entity ``` {% endcode %} Some events might not have an entity because they cannot be linked to a device. These can include certain alerts or collaboration events. When an event is tagged with the special **n/a** entity, the associated user's entity, if any, enforces the view domain. If no device or user exists and the entity is tagged with **n/a**, all users can view the event. This situation can occur with some alerts on objects such as binaries or packages that are visible to all users. #### **All inventory objects linked to a device** When querying inventory objects such as `device.antiviruses`, `device.cpus`, `device.disks`, and similar objects, the system uses the entity of the device to enforce View domain. {% hint style="info" %} Users with roles that have limited access to View domain can list all `binaries` and `packages`. However, they cannot perform drill-downs on these objects to retrieve information about devices and events that are not part of their View domain. {% endhint %} ### Product modules View domain applies to the following modules: #### Administration | Permission | Full access | Limited access | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Administrator rights |

| | | Data management |

| | | Manage all custom fields |

| | | Manage all custom trend data |

| | | Manage all NQL API queries |

| | | Manage all ratings |

| | | Manage collectors |

| | | Edit manual custom fields |

| #### Applications | Permission | Full access | Limited access | | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Manage all applications |

| | | View all application dashboards |

| #### Alerts | Permission | Full access | Limited access | | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Manage all alerts |

| | | View all alert dashboards |

| #### Amplify | Permission | Full access | Limited access | | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Manage Amplify |

| | | View Amplify |

| | View installed packages in Amplify |

| | View checklists |

| | Execute workflows |

| | Execute remote actions |

| #### Campaigns

Permission	Full access	Limited access
Manage all campaigns
Manage all manual campaigns
Trigger all manual campaigns
View all campaign dashboards

{% hint style="info" %} Campaign targeting remains restricted to the user’s view domain. Users cannot target employees outside the scope defined by their view domain. If a user with a limited view domain opens a campaign that uses a non-manual trigger, the campaign is displayed in read-only mode. {% endhint %} #### Collaboration tools | Permission | Full access | Limited access | | --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | View all collaboration tools dashboards |

| #### Diagnostics | Capabilities | Full access | Limited access | | --------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Manage all checklists |

| | Manage Amplify (requires add-on license of Amplify) |

| | View all checklists |

| | View Amplify (requires add-on license of Amplify) |

| | View device view |

| | View Diagnostics dashboards |

| | View installed packages in Amplify |

| #### Digital experience | Permission | Full access | Limited access | | --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | | Manage Digital Experience Score |

| | | View Digital Experience dashboard |

| | #### Investigations | Permission | Full access | Limited access | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Create private investigations; use global search |

| | Manage shared investigations |

| | Share private investigations |

| | View Nexthink Assist (you explicitly consent to our [updated data processors](https://docs.nexthink.com/legal/global-privacy-hub/nexthink-data-processing-schedule)) |

| | View shared investigations |

| #### Live dashboards | Permission | Full access | Limited access | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Manage all dashboards |

| | | View all dashboards |

| #### Device view | Permission | Full access | Limited access | | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | View device view |

| #### Remote actions | Permission | Full access | Limited access | | --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Execute all remote actions |

| | Manage all remote actions |

| | | View all remote action dashboards |

| #### Software metering | Permission | Full access | Limited access | | ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Manage all software metering |

| | View all software metering dashboards |

| #### Spark | Permission | Full access | Limited access | | ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | View agent overview dashboards |

| | View all agent conversations |

| | Chat with agent through Infinity |

| | Chat on behalf of another user through Infinity |

| | Manage all agent actions |

| | Manage agent knowledge sources |

| | Manage agent settings |

| #### Workflows | Permission | Full access | Limited access | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Execute all workflows |

| | Manage all workflows |

| | | View all workflow dashboards |

| Applicable permission tables can also be found in each module's page. When you apply View domain to a role, the system removes access to some modules at the permission level. The following module is available to roles with full View domain access: * Digital Experience A role with limited View domain access can still retrieve data linked to the aforementioned modules using, for example, `alert.alerts` or `campaign.responses` in Investigations or Live Dashboards where View domain is correctly enforced. List of rights that you can associate only with roles that have full access to View domain: | Feature | Feature permission | Content permission (sharing) | | ------------------ | --------------------------------------------------------- | ---------------------------- | | Alerts | Manage all alerts | Edit | | Applications | Manage all applications | *-* | | Custom Fields | Manage all custom fields | *-* | | Campaigns | Manage all campaigns | Edit | | Workflows | Manage all workflows | Edit | | Workflows | Execute all workflows | Execute | | Digital Experience | Manage Digital Experience Score | *-* | | Digital Experience | View Digital Experience dashboard | *-* | | Data Export | Administrator rights | *-* | | NQL | Manage all NQL API queries | *-* | | Remote Actions | Manage all remote actions | Edit | | Administration | *Any administration feature (including Packs management)* | *-* | *** RELATED TOPICS: * [Product configuration](https://docs.nexthink.com/platform/user-guide/administration/system-configuration/product-configuration) * [Roles](https://docs.nexthink.com/platform/user-guide/administration/account-management/roles)