Getting started with Domain elements

Domain elements help you manage large networks and define administrator permissions.

In a large system, there can be different geographical sites that are managed by different administrators. Typically, most of the administrators only manage SMC components at their own site. Only a few main administrators are responsible for the overall system health across all sites. Domain elements allow you to group elements that belong to specific configurations (for example, elements that belong to a particular site or customer). The elements in different Domains are kept separate from each other.

The administrators’ rights within a Domain depend on the permissions defined in the administrator accounts. You can grant access for an administrator to one or more Domains and define the permissions for each Domain in fine detail.

How Domains can be configured

  • Domain elements allow you to group elements that belong to specific configurations (for example, elements that belong to a specific customer or site).
  • You can use Domains to divide responsibilities between administrators, so that administrators only have access to elements in specific Domains.
  • You must have a special license to be able to configure Domain elements. The number of Domains that you can create depends on the license.
  • The ALL Domains Access Control List is a default Access Control List that you can use in administrator accounts to grant access to all defined Domains.
  • The predefined Shared Domain is meant for all elements that do not belong to a particular customer or site. All predefined system elements belong to the Shared Domain. If there is no Domain license in the SMC or no Domains have yet been configured, all elements belong to the Shared Domain.

Shared Domain

  • The elements in the Shared Domain are displayed to all administrators when they are logged on to any Domain in the Management Client.
  • Domains, Management Servers, Log Pruning Filters, and Administrator accounts with unrestricted permissions are elements that automatically belong to the Shared Domain. You can only create these elements in the Shared Domain, and you cannot move them to any other Domain.
  • Licenses and update packages always belong to the Shared Domain.
  • If you have Master NGFW Engine and Virtual NGFW Engine elements, the Master NGFW Engine must either belong to the Shared Domain or to the same Domain as the Virtual NGFW Engines.