Client domains

Note: Implementing client domains requires an additional license from Relativity ODA LLC. Each client domain license is unique, and client domains can have different terms encoded on their license keys. The license for a client domain is unrelated to any other license for Relativity (e.g., number of seats). Client domain licenses are not transferable from one client to another. Contact Relativity Support to learn more about activating client domains.

Note: Client domains (formerly multi-tenancy) requires Relativity version 9.1 or above.

Note: Client domains functionality cannot be activated for Client objects that have existing workspaces associated with them.

The client domains feature enables Relativity authorized partners to deliver more powerful managed service offerings for enterprise customers in a single Relativity instance by providing an easier way to securely isolate users, workspaces, groups, resource pools, and matters by client. Client domains have both software and infrastructure components.

Using client domains, Relativity system admin can empower a user group that is not part of the System Administrator group (client domain admins) to perform common administrative tasks within their own client domain while limiting their visibility into the Relativity environment as a whole. The client domain admins can customize the permission settings to various objects according to their preferences within their own domain, but cannot access any permissions outside of that. This resource isolation functionality grants your enterprise clients more administrative control over their own portions of the environment while preventing back-end visibility and unauthorized changes to your Relativity instance as a whole.

Note: Client Domains are targeted for the above use case only and it is important to consider all the limitations outlined in Client domain limitations and considerations.

This page contains the following sections:

See the following related pages:

Client domains software architecture

The following describes the basic software architecture for client domains.

  • Permissions - the root object of a client domain is the client object in the administrative workspace. By default, groups associated with a given client only have permission to perform actions on users, groups, matters, and workspaces associated with that client, unless a system administrator has given special permission across client domain boundaries. Additionally, each client domain has an associated group known as the client administrator group. By default, members of this group can create administrative objects (users, groups, matters, and workspaces) associated with the client. This group does not have permission to interact with or view objects of these types associated with other clients.

Considerations before enabling client domains

Consider the following before enabling client domains:

  • If you enable client domains on a client:
    • You can't disable it on that client later
    • You can't edit the name of the client
    • You can’t delete the client
  • Enabling client domains on a client involves generating a client domain request and then applying an activation key. By enabling it, you ensure that any content or other Relativity components associated with this client are visible only to a select group of users.
  • Client domains can be enabled on a client after you create it. However, before client domains can be enabled on the client, you must create all the objects you want to include within the client domain child objects of the client.
  • You can add objects to a client domain after the client has client domains enabled, but it's best to verify that all objects you want to isolate within the client domain are child objects of the client. See Adding or removing objects from a client domain for more information.
  • If you have client domains enabled, we recommend locking down System Administrator access to only those absolutely necessary.

Note: You must set the ClientDomainFeatureAvailable instance setting value to True to view and edit client domain settings.

Enabling client domains on a client

The following things occur automatically after client domains are enabled:

  • The system creates a new Everyone - [Client's Name] group and adds that group to the client domain. Only users whose client field is set to the client domain are included in the client domain everyone group. The system also removes those users from the default Relativity Everyone group. A system admin can add any users to any group regardless of client domain status.

Note: The Everyone- [Client's Name] group should not be assigned as the workspace administrator group for a given workspace that is part of a Client Domain.

  • The system creates a unique copy of all resource pools associated with any workspaces under the client domain.

Note: Permissions assigned to groups override client domain isolation. If a non-client domain group has permissions to see a client domain's workspace or users, then those non-client domain users in the non-client domain group can still access client domain items. Enabling client domains does not change previously configured item level security settings applied to any objects within the client domain.

  • The system creates a client domain admin group that permits its members to perform admin operations within the client domain.
  • The Billing statistics - case rollup and Billing statistics - users reports include columns called Client Domain Name and Client Domain Artifact ID. These columns display client name and artifact ID when you enable client domains for a client.

Note: After enabling client domains, system administrators needing to make group or permission changes should be extra cautious and thoroughly investigate the potential impact to client domain separation before implementing any new group/permission changes.

Generating a client domain request

To enable client domain on a client, you first generate a client domain request key in Relativity.

  1. Create a new client or click the name of a client on the Client tab. The details view of the client appears.
  2. Click Create Client Domain Request Key and then the Client Domain Request Key window appears.
  3. Copy the Client Domain Request Key text and paste it into an email to Relativity Support.
  4. Close the Client Domain Request Key window. See Applying the activation key.

Applying the activation key

After you receive an activation key from us, you enable client domains by applying it to the client.

  1. Navigate to the Client tab.
  2. Click the name of a client associated with the client domain request.

    Note: You must select the client that you originally used to generate the request key. If you attempt to apply the activation key to a different client, Relativity displays an error message.

  3. Click Submit Client Domain Activation Key and then the Apply Client Domain Activation Key window appears.
  4. Copy the client domain activation key received in the email message that Relativity Client Services sent. Paste it into Client Domain Key field in the Apply Client Domain Activation Key window.
  5. Click Apply.

    Note: If Relativity displays an error message, verify that you copied the activation key correctly. Contact Relativity Support at support@Relativity.com if you have any questions about applying your activation key.

  6. Verify that the Client Domain Status field in the Client Information section displays the word Client Domain.

Once client domains functionality is enabled for the client, you must assign a client domain admin.

Client domain admins

Client domain admins are essentially workspace admins for workspaces within the client domain. Any limitations are based on the permissions you set for the user group in Relativity that the client domain admin belongs to. The administrative actions available to client domain admins are only in the scope of the client domain. For example, client domain admins can edit or delete users belonging to that client domain, but they cannot do the same action for users part of a different client domain or users not associated with a client domain.

Client domain admins can do things like:

  • Modify, add, and remove groups, users, and workspaces
  • Create all workspace and admin objects across the Relativity Framework, such as matters, fields, layouts, choices, and views.
  • Start jobs like processing, imaging, and productions
    • Tenants have access to the full complement of the Relativity Processing features, including inventory, discovery, publish, and errors.
  • Import data

Client domain admin considerations

Consider the following when assigning a client domain admin:

  • Client domain admins cannot perform tasks that are exclusive to Relativity System Administrators.
  • Permissions assigned to groups override client domain isolation. If a non-client domain group has permissions to see a client domain's workspace or users, then those non-client domain users in the non-client domain group can still access client domain items. Enabling client domains does not change previously configured item level security settings applied to any objects within the client domain.
  • Relativity displays a warning message when a system admin attempts to edit or copy permissions for any group in a client domain. This warning makes the sys admin aware that modifying permissions may have significant consequences. For example, changing permissions may allow client domain users to modify items outside their tenancy. The system admin can click Manage Permissions to proceed with the update or Cancel to exit the pop-up window.
  • If a system admin assigns additional permissions for other Admin objects to a client domain admin (e.g., Queues), the client domain admin may be able to see information for other client domains.
  • You can grant workspace admins within the client domain permission to edit security settings for groups within the client domain, but they can't edit permissions on groups outside of the client domain.

The following table provides a breakdown of the default instance permissions for a client domain admin:

Group Permission Type
Client Domain Admin for <Client> View Admin Repository Admin Operations
Client Domain Admin for <Client> Add Matter Add
Client Domain Admin for <Client> Add User Add
Client Domain Admin for <Client> View View View
Client Domain Admin for <Client> View Choice View
Client Domain Admin for <Client> Add Group Add
Client Domain Admin for <Client> Add Workspace Add
Client Domain Admin for <Client> View Error View
Client Domain Admin for <Client> Add Error Add
Client Domain Admin for <Client> Edit Error Edit
Client Domain Admin for <Client> View Relativity Script View
Client Domain Admin for <Client> View Server View
Client Domain Admin for <Client> View Tab Type View

Assigning a client domain admin

Once you enable client domains on a client, you must assign a client domain admin.

Use the following steps to assign a client domain admin.

  1. Navigate to the Groups tab.
  2. Select the client domain admin group.
  3. Click the Add button in the Users section.
  4. Select the user you want to be the client domain admin.
  5. Click OK.

A system admin can make any user a client domain admin by adding them to the client domain admin group. You can tailor the permission settings of a client domain admin group the same way you manage permissions for all other groups. See Setting instance permissions for more information. See Client domain admin considerations for more information on default permissions.

Client domain limitations and considerations

The following items are features and operations that are not available when using client domains:

  • Multi-tiered client domains - an enabled Client Domain cannot have their own sub/child client domains
  • Unique logos per client domain
  • CMK (customer managed keys)
  • Self-provisioning / enabling of client domains - requires request to Support

The following items are features and operations that are have limitations in client domains or can only be used or performed by top-level system admins or a Relativity staff resource.

Item

Limitation

Client domain admin

System admin

Relativity staff

Client domains setup and configuration

Authentication providers / SSO setup

Not available for Client Domain Admins to create or edit since they cannot add an authentication provider to a client domain user. This includes adding the default password provider.

A system admin can configure client domain user accounts to use an SSO provider provided that the provider is configured correctly.

No access

Yes

-

Client domain setup

  • Cannot be setup on a Client record that already has a workspace association
  • Cannot disable client domain on Client once enabled
  • Cannot rename Client once enabled
  • Cannot delete client once enabled

No access

No access

Has access

Instance settings

Not available per client domain

No access

No access

Has access

System resources (resource pools)

A dedicated resource pool is available upon request but will pull away from total resources available to non-client domain workspaces.

No access

No access

Has access

Unique URL per client domain

Available per request to Relativity

No access

No access

Has access

Feature access

ARM

ARM is not available to a Client Domain Admin.

No access

Has access

-

Creating / editing Relativity scripts

Not available to Client Domain Admin.

  • Admins can run scripts that have already been added to the workspace from the library.
  • Admin scripts are not supposed to be run by client domain admins. These scripts should not be part of the template workspace.

No access

Has access

-

Drag-and-drop processing

Not available to Client Domain Admin

No access

Has access

-

Office 365 integration Office 365 integrations is not supported for Client Domains. However, Legal Hold Preserve-in-Place for O365 is supported with relevant full preservation user permissions. N/A N/A N/A

RDC

Direct Mode is not available to Client Domain Admins (only Aspera / Web Mode)

No access

Has access

-

Relativity applications

  • Client Domain Admin is not able to install or upgrade Relativity applications
  • No support of multiple app versions
  • Applications are typically not built or tested with client domain structure or concerns in mind. Applications such as Case Dynamics, O365 integration, transcripts, and others run under a system context which could potentially expose data across client domains.

No access

Has access

-

Remote Processing Console (RPC)

RPC is not available to Client Domain Admins.

No access

Has access

-

View, edit or cancel jobs / queues

Jobs / queue status not available to Client Domain Admins.

Since client domain admins can't see or modify jobs in the queue, a system admin may need to inform client domain admins of the status of jobs they've start or if the job is still waiting in the queue.

No access

Has access

-

Workspace Portal

The Workspace Portal tab is not be accessible by default to client domain users.

Permissions to view this tab can be technically be granted to client domain admins. However, adding a non-admin client domain group to the necessary instance level permissions violates client domain security restrictions for this group.

No access Has access Has access

Adding or removing objects from a client domain

Any workspaces, users, groups, matters, or resource pools associated with a client domain during creation become automatically governed by that client's domain settings. When you move an object into a client domain, you're making it a child object of the client domain.

See the following pages for more information on moving objects to and from client domains: