View domain

Large organizations tend to have complex internal structures with subsidiaries in various countries and regions. To add to the complexity, they are divided into numerous departments supported by different IT teams. Whether it’s for legal, compliance or security reasons, IT teams benefit from having a defined scope of visibility into the data of devices and related events.

View domain provides a way to define such a scope in the role of a Nexthink user.

The View domain feature:

  • Enforces compliance rules so that access to data is on a need-to-know basis.

  • Enhances security by limiting IT teams from taking action on devices they are not responsible for.

Configuration

Defining Organization

Before defining View domain in a role, define the relationship between devices and the organizational structure. You must associate devices with an entity and optionally with one or several custom classifications using rules defined in the Organization feature of the Product configuration. Refer to the Product configuration documentation for more information.

The system does not tag events with an entity or custom classification unless the Organization is configured.

Configuring the Organization
  • Name: The name of the organization in a given region or country.

  • Description: The description is based on the Collector string tag.

Configuring View domain

To configure View domain:

  • Select Administration from the main menu.

  • Click on Roles in the Account Management section of the navigation panel.

  • Scroll down to the View domain section and choose one of the following options:

    • Full access: The role has access to all devices.

    • Limited access: The role can access a limited scope of devices based on the selected organization level.

Limited access

Select the Organization level from the drop-down menu to define View domain. The available options are:

  • Entity: select to enable adding only entities.

  • Custom classification: select to enable adding only the possible custom classification values associated with the selected custom classification. (You can add any custom classifications defined in the custom classification ruleset).

Over time, you can delete custom classifications, custom classification values and entities. Roles that already exist may still point to deleted items. If this is the case, you cannot save the role.

Selecting scope for limited view domain

If you choose limited access for the role, list a scope of devices the role can access. A role with limited access has access only to devices and their related events tagged with specific entities or custom classifications.

View domain diagram

Entities and custom classifications

  • The optional tagging of devices with custom classifications relies on the Organization ruleset file.

  • Each custom classification value is invariably associated with at least one entity. For example, in the following table, Switzerland and Europe are associated with Lausanne and Zurich.

  • An entity cannot have multiple associations with values of the same custom classification. For example, it would be incorrect for Lausanne to be associated with both Europe and North America.

Entity
Custom classification - Country
Custom classification - Region

Lausanne

Switzerland

Europe

Zurich

Switzerland

Europe

New York

United States

North America

Using View domain

Objects and events

The system enforces View domain on the following objects and events:

Devices

When querying the devices object, the system uses the entity of the device to enforce View domain. Retrieve the entity of a device using the Organization.Entity field. Note that it is also visible in the legacy Entity field.

Users

When querying the users object, the system uses the entity of devices on which the user was reported, for example, a session event or an execution event linked to the user. Roles must have access to the entity of at least one device associated with the user to report them.

All events

dex.scores are only visible to roles with full access to View domain.

Retrieve the entity using the context.organization.entity field, which shows the entity of the device at the time of the event. Keep the following in mind:

  • When the entity of a device changes, the entity of events that were triggered before the change remains the same. Roles with limited View domain access that were assigned only to the old entity will not see events associated with the new entity of the device.

  • When you query events, the system uses the entity of the event to enforce View domain.

  • When you query devices and events in the same query, the user has access to the device's entity and the event's entity, for example:

device_performance.system_crashes during past 7d 
| list number_of_system_crashes, context.organization.entity 

Some events might not have an entity because they cannot be linked to a device. These can include certain alerts or collaboration events. When an event is tagged with the special n/a entity, the associated user's entity, if any, enforces the view domain. If no device or user exists and the entity is tagged with n/a, all users can view the event. This situation can occur with some alerts on objects such as binaries or packages that are visible to all users.

All inventory objects linked to a device

When querying inventory objects such as device.antiviruses, device.cpus, device.disks, and similar objects, the system uses the entity of the device to enforce View domain.

Users with roles that have limited access to View domain can list all binaries and packages. However, they cannot perform drill-downs on these objects to retrieve information about devices and events that are not part of their View domain.

Product modules

View domain applies to the following modules:

Applications

Permission
Full access
Limited access

Manage all applications

View all application dashboards

Alerts

Permission
Full access
Limited access

Manage all alerts

View all alert dashboards

Amplify

Permission
Full access
Limited access

Manage Amplify

View Amplify

View installed packages in Amplify

View checklists

Execute workflows

Execute remote actions

Campaigns

Permission
Full access
Limited access

Manage all campaigns

Trigger manually all campaigns

View all campaign dashboards

Collaboration tools

Permission
Full access
Limited access

View all collaboration tools dashboards

Diagnostics

Capabilities
Full access
Limited access

Manage all checklists

Manage Amplify (requires add-on license of Amplify)

View all checklists

View Amplify (requires add-on license of Amplify)

View device view

View Diagnostics dashboards

View installed packages in Amplify

Digital experience

Permission
Full access
Limited access

Manage Digital Experience Score

View Digital Experience dashboard

Investigations

Permission
Full access
Limited access

Create private investigations; use global search

Manage shared investigations

Share private investigations

View Nexthink Assist (you explicitly consent to our updated data processors)

View shared investigations

Live dashboards

Permission
Full access
Limited access

Manage all dashboards

View all dashboards

Device view

Permission
Full access
Limited access

View device view

Remote actions

Permission
Full access
Limited access

Execute all remote actions

Manage all remote actions

View all remote action dashboards

Software metering

Permission
Full access
Limited access

Manage all software metering

View all software metering dashboards

Workflows

Permission
Full access
Limited access

Execute all workflows

Manage all workflows

View all workflow dashboards

Applicable permission tables can also be found in each module's page.

When you apply View domain to a role, the system removes access to some modules at the permission level. The following module is available to roles with full View domain access:

  • Digital Experience

A role with limited View domain access can still retrieve data linked to the aforementioned modules using, for example, alert.alerts or campaign.responses in Investigations or Live Dashboards where View domain is correctly enforced.

List of rights that you can associate only with roles that have full access to View domain:

Feature
Feature permission
Content permission (sharing)

Alerts

Manage all alerts

Edit

Applications

Manage all applications

-

Custom Fields

Manage all custom fields

-

Campaigns

Manage all campaigns

Edit

Workflows

Manage all workflows

Edit

Workflows

Execute all workflows

Execute

Digital Experience

Manage Digital Experience Score

-

Digital Experience

View Digital Experience dashboard

-

Data Export

Administrator rights

-

NQL

Manage all NQL API queries

-

Remote Actions

Manage all remote actions

Edit

Administration

Any administration feature (including Packs management)

-


RELATED TOPICS:

Last updated

Was this helpful?