Resellers are platform customers (enterprise tenants) that can have their own customers on the platform. This document describes how to create a reseller and a reseller administrator, and the different levels of access that you can grant this user. This document is a basic guide only, and customers should always consult the Abiquo Customer Service team for specific guidance and to resolve any doubts.
The platform has two main ways of controlling user access: through roles with privileges, and through scopes (for administration and resources). This document assumes you have a basic understanding of Abiquo roles and scopes. See Manage Roles and Manage Scopes.
Generally, we recommend that you create a tenant admin role for your specific environment based on the default ENTERPRISE_ADMIN role, and then add scope and additional privileges for reseller administrators.
A reseller admin will have a user scope that includes the Abiquo enterprises (tenants) that they will manage, which are their customers.
The reseller admin can manage these tenants and the resources of each individual tenant.
So, for example, you could have a reseller called "Onseller", which is an Abiquo tenant.
The reseller can then manage its customers (also Abiquo tenants) called "Customer", "Customer2" and "Customer3".
The platform will mark the Reseller with (R) in the Enterprise list.
A reseller admin role can have a range of privileges depending on how you will manage resellers and cloud users on the platform. So how the reseller will "manage its customers" will vary, depending on the privileges.
Before you create a reseller admin, we recommend that you first extend the standard ENTERPRISE_ADMIN role to create a basic tenant admin role to cover all features for your platform. For example, if your tenant admins should be able to manage hard disks, add this privilege, and so on.
The base privileges for standard reseller admins are these Home view privileges:
When you assign these privileges to a reseller admin role, the user can view a list of their enterprises (in scope) in the home view and switch from one enterprise to another to manage virtual resources.
When the reseller admin switches to an enterprise, they will be able do all the typical enterprise administration tasks. For example, obtain public IP addresses and create private networks, upload templates, etc.
The reseller admin stays in the enterprise they have switched to until they switch to another. The enterprise does not change when the user logs out and logs in again.
If you wish to maintain a separate administrator account for each tenant, the administrator can log in with a separate user to each tenant that they will administer. In this case, you do not need to add the List enterprises within scope or the Allow user to switch enterprise privilege. We only recommend this option for resellers with a small number of tenants!
The users view privileges determine how the administrator can manage their customers and cloud users.
It is not necessary for your reseller administrators to have these privileges.
For example, if you manage all cloud user accounts with a centralized system, you may wish to remove the Manage users privilege from the reseller administrator.
If your reseller will be managing users, in addition to the Manage users privilege that is part of the standard tenant admin role, you can assign additional privileges.
To allow the reseller to manage enterprises and users in a single pane of glass, rather than by switching enterprises, assign the privileges to Manage enterprises and Manage users of all enterprises.
Note that although the privilege is called "Manage users of all enterprises", the administrator can only manage the enterprises listed in their scope.
Note that each enterprise must have a default scope, which the platform will assign to all new users in the enterprise. Note that administrators can change the scope. However, administrators who can manage scopes can also assign the enterprise scope to users, even if it is higher than or completely different to their own scope! However, if you are using data aggregation for resellers or key nodes, you must use the enterprise default scope to define the top level scope for the reseller or key node, so it would not be convenient to change it for administrator security.
If your reseller needs to be able to share resources (VM templates and VApp spec blueprints) to give access to their customers, then your reseller will be able to share templates and specs by assigning (or unassigning) their own scope and the scopes beneath their scope in the hierarchy to templates and specs.
Note that it is possible for enterprises to belong to more than one scope and this means that you can create a scope just to group tenants who will all use the same resources.
If your reseller is able to create their own tenants, Abiquo will automatically add these to the reseller's scope.
If the reseller's tenants are part of a scope hierarchy and your reseller does not need to manage their users or enterprises, then you can remove them from your reseller's scope. If you wish to allow your reseller to manage their own scope hierarchy, assign the Manage scopes privilege. This means that the reseller can add their tenants to a scope hierarchy beneath their own scope
With the platform's pricing system, you can assign prices to your reseller customers using a pricing model, which has a list of resource prices. Generally, you would enable resellers to view their own pricing model and to create new pricing models for their own customers, based on the prices that you will charge them including a markup.
For details of how to onboard hardware profile prices into pricing models at all levels of the hierarchy, see Synchronize public cloud price lists.
The platform can obtain billing data from public cloud providers and display it on billing dashboards. When you add compute credentials for your reseller customers you can also configure and enable the billing dashboards for them. These dashboards display the latest bills and estimated bills for Amazon, Azure, and Google Cloud.
For more details, see Display cloud provider billing data
An example of a hierarchy of tenants could be a chain of retail stores with a head office and regional offices, as well as the stores themselves. The head office may manage the regional offices, and the regional offices may manage the stores. The IT department in the head office and the IT department in the regional office may both share VM templates with the stores.
You can use tenant scopes to:
The following diagram shows an example of a tenant scopes that are in a hierarchy. The hierarchy contains the following scopes:
For more information, see: