Security Intelligence Lists and Multitenancy

Multitenancy adds:

  • Domain lists—Block or Do Not Block lists whose contents apply to a particular subdomain only. The Global lists are Domain lists for the Global domain.

  • Descendant Domain lists—Block or Do Not Block lists that aggregate the Domain lists of the current domain’s descendants.

Domain Lists

In addition to being able to access (but not edit) the Global lists, each subdomain has its own named lists, the contents of which apply only to that subdomain. For example, a subdomain named Company A owns:

  • Domain Block list - Company A and Domain Do Not Block list - Company A

  • Domain Block list for DNS - Company A, Domain Do Not Block list for DNS - Company A

  • Domain Block list for URL - Company A, Domain Do Not Block list for URL - Company A

Any administrator at or above the current domain can populate these lists. You can use the context menu to add an item to the Block or Do Not Block list in the current and all descendant domains. However, only an administrator in the associated domain can remove an item from a Domain list.

For example, a Global administrator could choose to add the same IP address to the Block list in the Global domain and Company A’s domain, but not add it to the Block list in Company B’s domain. This action would add the same IP address to:

  • Global Block list (where it can be removed only by Global administrators)

  • Domain Block list - Company A (where it can be removed only by Company A administrators)

Descendant Domain Lists

A Descendant Domain list is a Do Not Block list or Block list that aggregates the Domain lists of the current domain’s descendants. Leaf domains do not have Descendant Domain lists.

Descendant Domain lists are useful because a higher-level domain administrator can enforce general Security Intelligence settings, while still allowing subdomain users to add items to a Block or Do Not Block list in their own deployment.

For example, the Global domain has the following Descendant Domain lists:

  • Descendant Block lists - Global, Descendant Do Not Block lists - Global

  • Descendant Block lists for DNS - Global, Descendant Do Not Block lists for DNS - Global

  • Descendant Block lists for URL - Global, Descendant Do Not Block lists for URL - Global

Note
Descendant Domain lists do not appear in the object manager because they are symbolic aggregations, not hand-populated lists. They appear where you can use them: in access control and DNS policies.