Data separation is enforced at the database level through the use of the sys_domain column in tables. About 1000 base platform tables already have this column, making them “domain-separated.” When a customer logs in under a domain and pulls up a domain-separated table, the system uses built-in queries to pull data only from that domain.

To make a custom table domain-separated, add the sys_domain field to the table. However, extensive testing should be done by customers to ensure the table behaves as expected.

Data Separation

Based on the hierarchy, users can see data in their home domain and child domains of that home domain. They do not have access to data in their parent domains, peer domains, or domains in other branches of the hierarchy.

In this example, Cloud Dimensions is the MSP. They have two customers; Stark Industries, which has two child domains of its own, and Globex which has one child. Because Cloud Dimensions is at the top of the hierarchy, it can see the data for both Stark and its customers, as well as the data for Globex and its customers. Stark can see the data for both of its child companies, however, Customer 1 and Customer 2 can only see their own data because they are both at the bottom of the hierarchy.