Each domain has a set of controlling assets, one for each security object type: subject, group, organization, role, asset, one that controls access to AccessTypes and AssetTypes, and a domain-controlling asset that controls access to the domain itself. When you create a new domain, the controlling assets, and the domain security officer (DSO) role for the domain are created automatically. The person who creates the domain is granted the DSO role, and has sole permission to access the controlling assets, and to perform all the administrative functions in the domain. The DSO must create the various security objects: organizations, roles, users, groups, and assets. The DSO can also either grant the DSO role to another role, or assign a set of permissions to access the controlling assets to another role, and grant the role to other users—see “Managing the controlling assets in a domain”.
To create a new domain, you must have write permission on the domain controlling asset in the domain that contains the root organization. To update a security policy or the rules for a domain, you must have update permission on the domain controlling asset in the domain to which the changes apply. To delete a domain, you must have delete permission on the domain controlling asset in the domain to be deleted.
