I recently ran into a language security error with a custom Sitecore security domain and have detailed the fix in this post. I have also provided links to a couple of other helpful resources for setting up new custom security domains.
Sitecore custom security domain documentation can be found here and covers most steps needed for creating a new domain.
The creation of a new domain triggers an update in the \App_Config\Security\Domains.config which will need to be propagated to all environments. Since this lives outside of the Sitecore node, you cannot patch new domains in with a Sitecore config override file but Kam Figy details a patch solution here.
This is all well and good but now when you log in with a non-admin user, this language security error appears:
“The security settings for the current language prevent you from seeing this item. To continue, select another language from the Language drop-down list on the Versions tab.”
Every domain in Sitecore has a build in “Everyone” role. All users in the domain inherit from this role but it cannot be managed like a regular role. It is only accessible from the security editor so access can be assigned but not from the regular roles manager.
When my new custom domain was created, an “Acme\Everyone” group was automatically created as expected. What was not expected is that this new role does not have language read and write access by default.
To fix this, go to the security editor and search for the everyone account for your domain.
Click on the columns icon and check “Language Read” and “Language Write”
Browse to the System/Languages folder and click Assign Security. You will notice that the sitecore\Everyone group has Language Read and Language Write access on this folder and descendants. Give your domain Everyone user the same access. Problem solved.
Of note: this post refers to Sitecore 9 update 1.