## <a id="domains"></a> Domains

A [Service](#objecttype-service) object can be restricted using the `domains` attribute
array specifying endpoint privileges.
A Domain object specifices the ACLs applied for each [Endpoint](#objecttype-endpoint).

The following example assigns the domain `dmz-db` to the service `dmz-oracledb`. Endpoint
`icinga-node-dmz-1` does not allow any object modification (no commands, check results) and only
relays local messages to the remote node(s). The endpoint `icinga-node-dmz-2` processes all
messages read and write (accept check results, commands and also relay messages to remote
nodes).

That way the service `dmz-oracledb` on endpoint `icinga-node-dmz-1` will not be modified
by any cluster event message, and could be checked by the local authority too presenting
a different state history. `icinga-node-dmz-2` still receives all cluster message updates
from the `icinga-node-dmz-1` endpoint.

    object Host "dmz-host1" {
      import "generic-host"
    }

    object Service "dmz-oracledb" {
      import "generic-service"

      host_name = "dmz-host1"

      domains = [ "dmz-db" ]
      authorities = [ "icinga-node-dmz-1", "icinga-node-dmz-2"]
    }

    object Domain "dmz-db" {
      acl = {
        "icinga-node-dmz-1" = DomainPrivReadOnly
        "icinga-node-dmz-2" = DomainPrivReadWrite
      }
    }