The Administration scope (or User scope) feature is designed for administrators and is applied to a user role. A scope defines the list of resources (datacenters and enterprises) that a user can view and administer. In contrast, the privileges assigned to a role define how the user can work with resources, for example, as a user or administrator. So this means that an administrator can deploy virtual machines in any of the datacenters that the user's enterprise is allowed use (Edit Enterprise, Allowed Datacenters), even if the user's Administration Scope does not include these datacenters.
Abiquo also uses scopes to control access to resources and Abiquo calls these resource scopes and refers to them by the specific name of the resource, for example, spec scope. You can create resource scopes in the same way as user scopes. However, for the specific applications and assignment rules for these scopes, see the Manage resource scopes page.
The administration scope of an Abiquo role defines what resources the role can administer. Other access controls, such as allowed datacenters or VDC restriction may also apply but these are independent of scope because they apply to use not administration.
A role can only have one scope but a scope can belong to more than one role. The resources that can be assigned to a scope are:
Scope allows organizations to create administrators for groups of resources. For example, a global managed service provider could create a scope for country or region. For example, in Spain, an organization may have datacenters in Madrid, Barcelona, Valencia and Seville. An administrator for Spain would have access to all these datacenters, but the administrator for Eastern Spain would only have access to Barcelona and Valencia, which are on the east coast.
The default scope is unlimited and this scope is always assigned to the default CLOUD_ADMIN role and admin user. If you select the default scope from the Scopes list, the resources column are empty. This is because it includes all resources, so no resources are displayed.
Scope is independent of other access control methods, for example, an ordinary user may have an unlimited scope but the USER role will only allow access to one enterprise. Scope is designed to restrict administrator access to resources, not user access. For example, if an administrator has a scope that includes Datacenter A, but their enterprise can deploy in Datacenter A and Datacenter B, then the user will only be able to administer resources of Datacenter A, but they will be able to deploy in Datacenter A and Datacenter B.
From the Users view, if you have permission to manage scopes, you can access the Scopes tab and manage the scopes to define administrator access to cloud resources. If you also have permission to manage roles, then you can assign a scope to a role when editing the role.
Click the add button to create a new scope. By default, the new scope will contain the current user's scope or the last scope the user created. In the popup, in the Enterprises and Datacenters columns, select the resources the scope will allow the user to administer. You cannot create a scope with more access than the scope assigned to your own role.
To create an unlimited scope for a resource group, first log in as a user with an unlimited scope. This means that you will not need to modify the scope when new resources are added to Abiquo.
After ticking a Select all checkbox, if then you wish to select an individual resource, first deselect the Select all checkbox.
After you create an Administration scope, if you have privileges to Manage Roles, then you can assign a scope to a role when creating or editing the Role from the Roles tab. See Manage Roles#Create or Modify a Role
Screenshot: Assign a scope to a role
For information about assigning a scope to a resource, such as a Virtual Appliance spec, see Manage resource scopes