Abiquo Documentation Cookies Policy

Our Documentation website uses cookies to improve your experience. Please visit our Cookie Policy page for more information about cookies and how we use them.


Documentation

Skip to end of metadata
Go to start of metadata

Introduction to resource scopes

On the Manage Scopes page we describe how a user scope or administration scope defines the list of resources (datacenters and enterprises) that a user of a specific role can view and administer. Scopes complement the privileges assigned to a role, which define how the role can work with resources, for example, as a user or administrator. (So for example, this means that an administrator can deploy virtual machines in any of the datacenters that the user's enterprise is allowed use (Edit Enterprise, Allowed Datacenters), even if the user's role scope does not include these datacenters).

Abiquo also uses scopes in other ways to control different resources, and in this case, the documentation will refer to them in general as resource scopes and specifically with the name of the resource they manage. For example, for virtual appliance specs, spec scopes define a list of tenants whose users can access the spec, as well as the users who can administer it.

Virtual appliance spec scopes

A virtual appliance spec can have zero or more scopes, which control access in addition to the required privileges:

  • Consume specs
    • If there is no scope, users in the creation user's tenant can create virtual appliances from the spec
    • If there are one or more scopes, users in the tenants listed in the scope(s) can create virtual appliances based on their access to an enterprise and their allowed datacenters
  • Manage specs
    • Administrators with the same or higher administration scopes for enterprises as the sum of the spec scopes can manage spec versions, locations, etc.
  • Manage spec scopes
    • If the administrator has unlimited global scope, they can choose to not assign a scope or choose from any scope when they create or edit a spec
    • If the administrator has a limited scope
      • When creating a spec, they can choose to not assign a scope or select their own scope. 
      • When editing a spec, they cannot make changes to scopes.

The following diagram shows how a spec can have one or more scopes to determine which users can work with the spec.

Diagram: How role (administration) scopes and spec scopes work together

Remember that only administrators with all required privileges and unlimited global scope can manage all scopes for specs. 

Assign scopes to vapp specs

After you create a Resource scope with a list of tenants, you can allow the users of these tenants to use the resource by assigning the scope to the resource. See Manage Virtual Appliance Specs#Definetheuserswhocanworkwithaspec

Screenshot: Assign scopes to a spec. Users from the enterprises listed in the scopes can work with the spec.

Management of spec scopes with scope privileges:

  • If the administrator has unlimited global scope, then they can manage scopes when they create or edit a spec, and choose to not assign a scope, or assign a limited scope or a global scope.
  • If the administrator has a limited scope
    • When creating a spec, they can choose to either not assign a scope or select their own scope. 
    • When editing a spec, they cannot make changes to scopes.