This is primarily for security purposes. When 2B power user adds an existing user, he should not be able to browse the directory of all account users. This would be a major privacy/NDA violation. We will only allow the 2B power user to browse other users with valid domains.
When 2B power users create a new user, he should not be able to try creating users with any domain. Otherwise he can "check" to see if certain users exist in the system. For example, if Liferay's Help Center was using self-service accounts, allowing a Bank of the West 2B power user to try creating a a user with firstname.lastname@example.org would potentially confirm whether Bank of America is also a customer (which violates NDA).
- Domains can be shared by multiple accounts. For example, "Alphabet Inc", "Google LLC", and "Waymo LLC" can all be separate accounts but share @google.com as a domain
- There's no limitation on the number of domains an account can have
- Standard domain name validation should be applied: https://help.returnpath.com/hc/en-us/articles/220560587-What-are-the-rules-for-email-address-syntax-
We should consider adding support for matching domains with wildcards. It's possible that an account will use multiple subdomains or extensions (e.g.: @liferay.com, @liferay.es, @help.liferay.com). Customers may want to configure a wildcard match like @.liferay.. For now, we will require each domain to be explicitly listed.