Securing Multiple Domains

To prevent role mapping leaks between multiple tenant domains, configure domains and assign shared security configurations.

Sybase recommends that the Platform administrator:

Create at least one new tenant domain in Sybase Control Center. You may require more, depending on your mobility strategy.
Restrict the use of the "admin" security configuration on the "default" domain to administration authentication only.
Assign at least one domain administrator. Depending on the maintenance issues of large-scale deployments, the administrator may want to use at least one Domain administrator per domain.
Create and assign at least one new security configuration. The administrator may create and assign security configurations, if security requirements (stringency, uniqueness) differ between tenant domains.

For more information, search for Domains in Sybase Control Center online help.

For example, a company named "Acme" has two separate divisions, HR and sales. The employees in each division use different mobile applications. In this case, Sybase recommends using two domains in Sybase Control Center to simplify the management of packages, users, applications and related artifacts.

Acme implements separate domain administrators for each domain, but is using a single "acme" security configuration due to the way the corporate LDAP directory is configured. This configuration includes an LDAPLoginModule provider that uses this URL:

ldap://ldap.acme.com

As a result, all employees of all domains are authenticated by the same LDAP server, and authorized by the same set of groups and roles.

Note: Because domain administrators are authenticated from the same acme LDAP repository via the admin security configuration on the default domain, those role mappings can "leak" between domains. Consequently, a domain administrator assigned to one domain gets granted access to another. This side-effect is undesirable and should be avoided.