When managers of group accounts have multiple alias or child domain name spaces, the email address they choose for their users implies the authorization realm in which these users will reside. Effectively, this prevents two individual users whom are associated with the same group manager account to share information among themselves.

So, an admin@example.org could have a child domain example.ch. Creating John as john@example.org and Jane as jane@example.ch will prevent John (user/john@example.org) and Jane (user/jane@example.ch) from sharing content between them (crossing the boundary between the example.org and example.ch authorization realms is not allowed).

Using a (realmed) result attribute different from the primary email recipient address (to name the mailbox and canonify the login username to) could resolve this issue, and allow John and Jane to share content.

However, this strict boundary between authorization realms may, at times, be the desired -- such as for a reseller with company.de and competitor.nl as customers.

The introduction of a "sharing domain" for the HKCCP group manager user management forms could resolve the issue. The administrator can then, separately from the primary email recipient address, choose the authorization realm in which the mailbox and therefore the user's login should be put.