Domain Governance
Overview
Domain Governance lets Enterprise admins claim an email domain (e.g.
example.com) and enforce organization-wide account policies on every
Uslimato user whose email ends in @example.com. The feature is
activated per tenant as a GLAD-licensed add-on.
Key capabilities:
- Domain claiming — register and prove ownership via DNS TXT record.
- Account governance — control whether governed users can join other tenants, register independently, or edit their profile fields.
- Session management — force-logout governed users remotely.
- Grace period — 30-day transition window after domain verification so existing users can adjust before policies take full effect.
Licensing
Domain Governance is an add-on license managed in the GLAD portal (similar to ITSM). A GLAD super admin activates it per tenant with these feature toggles:
| Feature | Description |
|---|---|
domain_claiming | Claim and verify domains |
account_governance | Enforce join / registration / profile policies |
session_management | Force-logout governed users |
auto_provisioning | Placeholder for future SCIM provisioning |
Without an active license the settings page shows a notice instead of controls.
Claiming a Domain
- Navigate to Settings → Domain Governance.
- Enter your email domain (e.g.
example.com) and click Add. - A DNS TXT record is generated — add it to your domain's DNS:
hge_uslimato_verify=<token> - Click Verify. A real-time DNS lookup checks for the record.
- On success the domain status changes to Verified and a 30-day grace period starts automatically.
If verification fails, check DNS propagation (can take up to 48 hours) and retry. A daily consistency job re-verifies all verified domains automatically.
Grace Period
After a domain is verified a 30-day grace period begins. During this window governed users see a banner but are not yet blocked by enforcement policies. This gives existing users time to understand the new governance rules before they take effect.
Users discovered during verification are added with status
grace_period. After the grace period ends the status transitions
based on the existing_membership_policy:
| Policy | Behavior after grace period |
|---|---|
allow | Existing memberships remain untouched |
freeze_after_grace | Existing memberships are frozen (read-only) |
block_after_grace | Cross-tenant memberships are revoked |
Governance Policies
Once a domain is verified the admin can configure enforcement policies:
Block Cross-Tenant Join
When enabled, governed users cannot accept invitations to other
tenants. Invitations targeting the governing tenant itself are always
permitted. Both the token-based and in-app invitation flows enforce
this policy. Error code: GOVERNANCE_CROSS_TENANT_BLOCKED.
Block External Registration
When enabled, users with an email matching the governed domain cannot
self-register a new tenant. They can only join the governing tenant via
invitation. Error code: GOVERNANCE_REGISTRATION_BLOCKED.
Restrict Profile Edits
When enabled, governed users cannot modify specific profile fields. The
admin selects which fields are locked (e.g. first_name, last_name,
display_name). Error code: GOVERNANCE_PROFILE_RESTRICTED.
Can Delete Account
When disabled, governed users cannot delete their own account via the profile page.
Force Logout
Admins with the session_management feature enabled can trigger a
forced logout for any governed user. The user's current session is
invalidated within 24 hours.
Governed Users
After domain verification all existing users in the governing tenant whose email matches the domain are automatically added to the governed users list. The list is visible under Settings → Domain Governance → Governed Users and shows:
- User email and display name
- Governance status (active / grace_period / frozen)
- Actions (force logout)
GLAD Administration
GLAD super admins manage Domain Governance licenses at GLAD → Domain Governance. The dashboard shows:
- All tenants with license status
- Feature flags per tenant
- Domain and verification statistics
- Activate / deactivate controls
API Endpoints
All endpoints require authentication and the Domain Governance add-on license.
| Method | Path | Description |
|---|---|---|
GET | /api/domain-governance/domains | List claimed domains |
POST | /api/domain-governance/domains | Claim a new domain |
DELETE | /api/domain-governance/domains/:id | Remove a claim |
POST | /api/domain-governance/domains/:id/verify | Trigger DNS verification |
GET | /api/domain-governance/domains/:id/policy | Get governance policy |
PUT | /api/domain-governance/domains/:id/policy | Update policy |
GET | /api/domain-governance/domains/:id/users | List governed users |
POST | /api/domain-governance/users/:id/force-logout | Force logout |