Support Center > Search Results > SecureKnowledge Details
How global domain assignment works in R80 / R80.x comparing to R77 / R77.x? Technical Level
Solution

Starting in R80, global domain objects and rules are no longer copied to the local domain's database, but instead, the local domain segment points to a revision of the global domain. This allows us to enforce a more secure permission model, ensure that our API's use the same object identifiers for the same global objects, prevent local administrators from modifying global objects via command-line, and also has database size benefits, since objects are no longer copied but rather pointed to.

Prior to R80, when a global domain had more than one global policy, each local domain was only able to see the one global policy that was assigned to it. As a result, it was possible to create domain-specific rules at the global level and as long as the global assignment to each domain had a different global policy, the other domains were not able to see these global rules.

In case you defined domain-specific rules at the global level prior to R80, we recommend that you move the policy to the domain level in order to prevent it from being seen by other domains with versions R80 and above. Tools such as ExportImportPolicy and SmartOptimize may help you achieve that.

Pre-R80 users who chose to create domain assignments for their objects only and not for security policies, receive a pre-upgrade verifier warning when upgrading to R80 and above.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment