When to Use Global Users and Global Groups - KB Article #1721Related Articles -- 1697
Most end user configuration only involves users and groups at the domain level. However, there are a few cases where global user accounts that span multiple domains and global groups that provide additional permissions across multiple domains are useful.
Global users are helpful when you need special accounts that need to access multiple domains. For example:
- Automated Maintenance Processes - An automated FTP process that picks files up from or drops files off in multiple domains. (Set these users up with permissions to the root folder of all domains or to the root folder of individual domains.)
- Additional SysAdmins - Individually identified and credentialed administrators who can make changes to any domain or the system itself. (Set these users up with "System Administrator" Administrative Privileges.)
- "Help Desk" Technicians - Lets your help desk technicians sign on to any domain (to reset passwords, reassign admins and fix permission problems) but not add/remove domains or other help desk technicians. (Set these users up with "Domain Administrator" Administrative Privileges.)
- Security Auditors - Lets auditors examine your system without allowing them to make any changes. (Set these users up with "Read-Only System Admin" Administrative Privileges.)
- Universal End Users - Lets end users sign on with the same credentials to different domains to enjoy different sets of permissions. (Plan to inherit many permissions from domain-level settings and set up global groups to enjoy permissions regardless of domain.)
Global groups are used to provide different sets of access and settings to global users.
Global groups are used like domain groups at the system level. Use global groups with global directory access rights and global virtual paths to grant global users access to folders.
Domain users cannot be members of global groups.
Global users cannot be members of domain groups.
If you will only ever maintain one domain, please consider using domain-level users and groups instead of global users and groups.