Abiquo Documentation Cookies Policy

Our Documentation website uses cookies to improve your experience. Please visit our Cookie Policy page for more information about cookies and how we use them.


Documentation

Skip to end of metadata
Go to start of metadata

New ENTERPRISE_VIEWER role in Abiquo 3.8.3

The ENTERPRISE_VIEWER is a new role that allows read-only access to the cloud platform. A user with this role can access a VDC and view VApps, VMs and VM details. See Privileges for the list of privileges assigned to this role.

 

Abiquo user management has a flexible concept of roles associated with privileges. Each user is assigned a role and that role is assigned a set of privileges to grant access to different cloud features.

Abiquo provides a set of default roles (CLOUD_ADMIN, ENTERPRISE_ADMIN and USER) and these can be cloned and modified to create new roles. The default CLOUD_ADMIN role cannot be modified. You can also create roles and match them to LDAP groups for automatic user creation and role assignment.

The Administration Scope of a role defines the resources (such as datacenters and enterprises) that the role can view, access and administer. The privileges assigned to the role define how the role can work with the resources, for example, as a user or administrator.

Roles Tab

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource RolesResource.

In Users View, if you have permission to access the Roles tab, manage the roles that will allow access to the platform using the control buttons at the top of the roles list. Assign privileges to a role in the Privileges pane. If you have permission to manage scopes, when you create or edit a role, associate a scope with the role to define the set of resources that a user with this role can access.

Default Roles

The following table describes the default roles. See Privileges for a list of the privileges for each role.

Default Role

Description

CLOUD_ADMIN

Manages the physical infrastructure and configurations in order to offer a cloud service. The privileges of the default role cannot be modified and there is a default "admin" user with this role that cannot be modified and with an unlimited scope that cannot be modified. This role can be cloned and modified, for example, to set administration scope that restricts an administrator to certain datacenters and enterprises.

ENTERPRISE_ADMIN

Manages configurations at enterprise level and grants access to other enterprise users. This role is for users that are responsible for an enterprise to manage their cloud services. By definition, users with this role are restricted to administering their own enterprise.

USER

Manages the virtual appliances of an enterprise. Typically, this role is for users working with the cloud service. By definition, users with this role are restricted to their own enterprise.

OUTBOUND_APIUser for the M module that stores Events in the API and streams them in the Outbound API. The default privileges of this role allow it to read all events.
ENTERPRISE_VIEWERAllows read-only access to the cloud platform. A user with this role can access a VDC and view VApps, VMs and VM details.

Cloud Admin Role

The Cloud Admin default role cannot be modified and the scope cannot be changed from the default

Create or Modify a Role

A user can only have one role. You cannot have more than one role of the same name in the same enterprise. Roles in different enterprises can have the same names. If you have permission to manage roles, create a role by clicking the add button or modify a role by clicking the edit button and complete the form:

Field

Description

Role name

The name of the role

Enterprise

The enterprise that the role belongs to. Leave empty for global (or system) role. Click Browse to select an enterprise instead of typing in the name

Make the role global

Mark this checkbox to remove the role's enterprise and create a global (or system) role. Unmark the checkbox and select an enterprise to create an enterprise role

ScopeSelect an administration scope for the role

LDAP Group

The LDAP group that the user belongs to. Required in LDAP mode

To clone a role, click the clone button. By default the new role will have "Copy:" added to its name, for example, "Copy: CLOUD_ADMIN".

Enterprise Roles and Global Roles

Abiquo allows you to create enterprise roles and global (or system) roles. If you have the Manage global role privilege, when you create a role, you can specify an enterprise or mark the checkbox to make the role global. A global role will be available in all enterprises. If you have the "Associate role with enterprise" privilege but not the Create global role privilege, you can only create roles associated with an enterprise. In the Role list, global roles will appear with the text (global) and enterprise roles will appear only if their enterprise is selected in the Enterprises list.

 

Feature Behavior

A user whose role has the Create global role privilege can create global roles.
A user whose role has the Associate role with enterprise privilege can only create roles associated with an enterprise.

LDAP Groups

 

If you have the Specify LDAP group privilege, associate a role with an LDAP/AD group. When LDAP authentication is activated, a user's role will be determined by the group that they are a member of. In LDAP/AD users should be a member of one group only, because they may only have one role in Abiquo. Please see the Administrator's Guide for further information about LDAP and Active Directory Integration.

Associate a Scope with a Role

When you create a role, the default scope is unlimited. If you have the Manage scopes privilege, you can set a scope for the role:

  1. Create a new role or edit an existing role
  2. Select a scope from the pull-down list
  3. Click Save to continue.

See the #Create or Modify a Role section above