When asking for group approval in a domain separated instance, approvals will not be created for group members not visible from the domain of the RITM or current record, even if the group members can see the RITM or current record.
Steps to Reproduce
1. Activate plugin "Domain Support - Domain Extensions Installer" with demo data.
2. Create a sys_user_group with name 'DEF0166227_user_group' and edit group members adding "System Administrator" and "ACME Manager".
3. Edit user "ACME Manger" adding role "admin".
4. Create a domain "ACME child" with parent ACME. Edit domain ACME to contain domain "ACME child".
5. Create a user "ACME child user" in domain "ACME child".
6. Create a flow in global domain triggered by service request with ask for approval by group 'DEF0166227_user_group'.
7. Under maintain items choose "Apple Ipad 3" and remove workflow and set flow to flow created in step 5.
8. Impersonate "ACME child user" and order "Apple Ipad 3".
9. End impersonation and open RITM. Observe that an approval was created for "System Administrator" but not for "ACME Manager".
A possible workaround would be to configure domain separation such that the sys_user_grmember and sys_user records of the necessary approvers are visible from the domain of the RITM. This may not be acceptable if it allows too much to be seen from the RITM's domain.
Related Problem: PRB1444088