New ENTERPRISE_VIEWER role in Abiquo 3.8.3
The ENTERPRISE_VIEWER is a new role that allows read-only access to the cloud platform. A user with this role can access a VDC and view VApps, VMs and VM details. See Privileges for the list of privileges assigned to this role.
Abiquo user management has a flexible concept of roles associated with privileges. Each user is assigned a role and that role is assigned a set of privileges to grant access to different cloud features.
Abiquo provides a set of default roles (CLOUD_ADMIN, ENTERPRISE_ADMIN and USER) and these can be cloned and modified to create new roles. The default CLOUD_ADMIN role cannot be modified. You can also create roles and match them to LDAP groups for automatic user creation and role assignment.
The Administration Scope of a role defines the resources (such as datacenters and enterprises) that the role can view, access and administer. The privileges assigned to the role define how the role can work with the resources, for example, as a user or administrator.
In Users View, if you have permission to access the Roles tab, manage the roles that will allow access to the platform using the control buttons at the top of the roles list. Assign privileges to a role in the Privileges pane. If you have permission to manage scopes, when you create or edit a role, associate a scope with the role to define the set of resources that a user with this role can access.
The following table describes the default roles. See Privileges for a list of the privileges for each role.
Manages the physical infrastructure and configurations in order to offer a cloud service. The privileges of the default role cannot be modified and there is a default "admin" user with this role that cannot be modified and with an unlimited scope that cannot be modified. This role can be cloned and modified, for example, to set administration scope that restricts an administrator to certain datacenters and enterprises.
Manages configurations at enterprise level and grants access to other enterprise users. This role is for users that are responsible for an enterprise to manage their cloud services. By definition, users with this role are restricted to administering their own enterprise.
Manages the virtual appliances of an enterprise. Typically, this role is for users working with the cloud service. By definition, users with this role are restricted to their own enterprise.
|OUTBOUND_API||User for the M module that stores Events in the API and streams them in the Outbound API. The default privileges of this role allow it to read all events.|
|ENTERPRISE_VIEWER||Allows read-only access to the cloud platform. A user with this role can access a VDC and view VApps, VMs and VM details.|
Cloud Admin Role
The Cloud Admin default role cannot be modified and the scope cannot be changed from the default
A user can only have one role. You cannot have more than one role of the same name in the same enterprise. Roles in different enterprises can have the same names. If you have permission to manage roles, create a role by clicking the add button or modify a role by clicking the edit button and complete the form:
The name of the role
The enterprise that the role belongs to. Leave empty for global (or system) role. Click Browse to select an enterprise instead of typing in the name
Make the role global
Mark this checkbox to remove the role's enterprise and create a global (or system) role. Unmark the checkbox and select an enterprise to create an enterprise role
|Scope||Select an administration scope for the role|
The LDAP group that the user belongs to. Required in LDAP mode
To clone a role, click the clone button. By default the new role will have "Copy:" added to its name, for example, "Copy: CLOUD_ADMIN".
Abiquo allows you to create enterprise roles and global (or system) roles. If you have the Manage global role privilege, when you create a role, you can specify an enterprise or mark the checkbox to make the role global. A global role will be available in all enterprises. If you have the "Associate role with enterprise" privilege but not the Create global role privilege, you can only create roles associated with an enterprise. In the Role list, global roles will appear with the text (global) and enterprise roles will appear only if their enterprise is selected in the Enterprises list.
A user whose role has the Create global role privilege can create global roles.
A user whose role has the Associate role with enterprise privilege can only create roles associated with an enterprise.
If you have the Specify LDAP group privilege, associate a role with an LDAP/AD group. When LDAP authentication is activated, a user's role will be determined by the group that they are a member of. In LDAP/AD users should be a member of one group only, because they may only have one role in Abiquo. Please see the Administrator's Guide for further information about LDAP and Active Directory Integration.
When you create a role, the default scope is unlimited. If you have the Manage scopes privilege, you can set a scope for the role:
See the #Create or Modify a Role section above