Abiquo 5.3

Skip to end of metadata
Go to start of metadata

Changes to scopes from Abiquo 4.0

  • Now administrators assign scopes to Abiquo users. In previous versions, administrators assigned scopes to Abiquo roles and the global scope was the default
    • During the upgrade process to version 4.0, Abiquo assigns role scopes to users
  • All enterprises must now have a default scope for creating users
  • Administrators can now create optional hierarchies of scopes and share resources, such as templates and specs, with tenants at lower levels of their hierarchies

Scope concepts

Scope is an access list that contains a list of resources (enterprises and/or datacenters) to allow access.

You can use scopes to:

  1. Create restricted sets of resources for administrators
  2. Share resources with a group of tenants and an optional tenant hierarchy
  3. Create a tenant hierarchy for pricing, billing, and cost and usage aggregation, which is useful for resellers and large organizations

Create a scope

Scopes are access lists for users, enterprises, and/or resources. They can also define hierarchies for accounting and billing aggregation.

Privilege: Manage scopes, Allow user to switch enterprises, Manage role and scope allowed CIDRs

To create a scope do these steps:

  1. Go to UsersScopes
  2. Click the + add button
  3. Enter the details as described in the following table

NameThe name of the scope
Parent scope

To optionally add the scope to a hierarchy, select a Parent scope. We recommend that under a hierarchy with limited scopes you should not select unlimited scopes (Use all enterprises and/or Use all datacenters)

Allowed CIDRsTo optionally create a default list of network addresses from which users with this scope can access the platform, enter Allowed CIDRs. You can also set allowed CIDRs for a role. The user will inherit the role and scope CIDRs. Any allowed CIDRs set directly for the user will have priority over these inherited allowed CIDRs.
External scopesOptional: Specify attributes of an external system to define the user groups that this scope should apply to. An example of external scopes could be an LDAP group for the user. Used in external authentication modes (e.g. openid, ldap). A user's external scopes must map to a single scope (local or global). See LDAP and Active Directory Integration and Abiquo OpenID Connect Integration

Scope entities


Enterprises to use in the scope. To automatically include all existing and future enterprises, select the options to Use all enterprises.

If this is a user's administration scope, then the user can manage resources in the list of enterprises selected. If this is a resource scope, then users can access the resources if they belong to the enterprises that are part of the scope

DatacentersSelect Datacenters to include in the scope. For scopes, datacenters can be private cloud datacenters and/or public cloud regions. To automatically include all existing and future datacenters, select the options to Use all datacenters. If this is a user's administration scope, then the user can manage resources in the list of datacenters selected. Resource scopes do not use the datacenters list

After you create a scope, you can assign it to a user, an enterprise, or a resource.

Create a scope for a tenant and its users

Generally, a user should only be able to access their own tenant enterprise and its resources. The most basic scope is a single enterprise scope that contains the user's enterprise.

To create a basic scope and assign it to a tenant and the tenant's users:

  1. Create the tenant enterprise. 
    1. On the General tab, for the Default scope, select Global scope
  2. Create a scope for the tenant
    1. On the General info tab, select a parent scope, for example, the Global scope or a reseller scope
    2. Go to the Entities tab. In the Enterprises list, select the tenant enterprise
    3. In the Datacenters list, select the appropriate locations (datacenters and public cloud regions) where the users will work
  3. Edit the tenant enterprise and on the General tab for the Default scope select the tenant's scope

When an administrator creates users in the tenant, the platform will automatically suggest the tenant's enterprise scope for these users.

If you also assign this scope to an enterprise administrator in this tenant, they will be able to manage the tenant's users only.

Create a scope for an administrator

The default cloud administrator with the default Global Scope can manage all resources. To restrict the set of resources that an administrator can manage, create a scope and assign it to the administrator. An administrator (with privileges and allowed datacenters):
  • can manage the locations (datacenters and public cloud regions) that are in their scope (e.g. add templates for an enterprise in scope)
  • can manage enterprises and users of the enterprises that are in their scope

To create a basic administrator scope:

  1. Create a scope for the administrator
    1. On the General info tab, optionally select a parent scope, for example, the Global scope or a reseller scope
    2. Go to the Entities tab. In the Enterprises list, select the enterprises to administer
    3. In the Datacenters list, select the appropriate locations (datacenters and public cloud regions) to administer

 For example, for a Managed Service Provider in Spain, with datacenters in Madrid, Barcelona, Valencia, and Seville. The scopes could be defined as follows:

  • User scope for datacenters:
    • An administrator for "Spain" with a scope to access to all the Spanish datacenters
    • An administrator for "Eastern Spain" with a scope to access the datacenters in Barcelona and Valencia (the cities on the east coast of Spain)
  • User scopes for enterprises:
    • An administrator for Spain may have a scope to access the top-level "Spanish HQ" to manage its users and resources. This scope may be the parent of one or more scopes to group users for management and resource sharing


  • If allowed datacenters are not in scope, the administrator can work in them as a regular user (e.g. create virtual datacenters, deploy VMs) 
  • If enterprises are in a child scope, the administrator can share catalog resources with them

Create a scope to share resources

The resources in the Catalog (Apps library) include images (VM templates) and blueprints (VApp specs).

You may wish to create and maintain a group of core resources and share these with many tenants.

To share a catalog resource:

  1. Create administrator roles with the appropriate privileges to manage the resources
    • To share resources, an administrator must also be able to switch enterprises
  2. Define and create scopes as required
    • The resource scopes should contain the enterprises that will access the resource
      • The platform allows the user to work with a resource if the user is in a tenant enterprise in the resource's scopes. The platform does not check the user's scope
    • To share resources with ALL current and future tenants, use the default Global scope or create an unlimited enterprise scope
    • To allow an administrator to share resources and manage the tenants, add the tenants to the administrator's scope
    • To allow an administrator to share resources without access to the tenants, add the tenants to one or more scopes, and make the administrator's scope the parent scope
  3. Log in to the enterprise that owns the resources
    • To modify VM templates, the administrator must be in the enterprise that created the template
    • To create a new version of a VApp spec, the user must work with a VApp created from the spec in the enterprise that created the spec
  4. Edit a resource and go to Scopes
  5. Select the scopes that contain tenants who will use the resources


  • You can share resources with your own scope and child scopes of your scope
  • Each tenant can belong to more than one scope
  • Each scope can have one parent scope only
  • The platform will only consider the enterprises in the resource scopes, not the locations

Assign scopes to create a reseller hierarchy

To create a reseller hierarchy for billing, pricing, and management and aggregation of costs and usage, assign scopes to reseller and key node enterprises. A key node is the main enterprise for an organization, for example, the head office. 

The parent scopes and the reseller and key node enterprises define the hierarchy levels.  

  1. Go to Users → Enterprises
  2. Edit an enterprise to make it a Reseller or Key node enterprise for its scope 
  3. Assign the scope as the Default scope for this enterprise 

Administrators can share VM templates and VApp specs with users in scopes beneath their own scope. 

  • Scope hierarchy: The administrator for Spain could also have a scope hierarchy beneath the Spain scope that includes the scopes for Eastern Spain and Central and Southern Spain and then their customers at a lower level. The administrator for Spain can only manage the users of the Spanish national organization but they can share templates and Vapp specs with tenants in the scopes at all levels of the hierarchy.
  • Reseller: A reseller enterprise in the hierarchy can use partner or reseller credentials for public cloud and manage billing and pricing for their hierarchy. 
  • Key node: A key node enterprise can obtain aggregate billing and usage data for their hierarchy

     Click here to show/hide the hierarchy diagram

Modify a scope

Notes about modifying scopes:

  • You cannot remove an enterprise from a scope that is using shared templates with that scope
  • You cannot modify the default Global scope
  • You cannot modify your own scope
  • In a scope hierarchy, there can only be one reseller and one key node in the scope, which is the enterprise's default scope

Pricing scopes

When a user creates a pricing model, the platform assigns the user's scope that applies to enterprises. Only users with the same enterprise scope can manage the pricing model. All users with pricing privileges can view the pricing model of their own enterprise. You cannot change the pricing scope or display it in the UI.

Manage scopes with the API

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource ScopesResource.

Related pages

  • No labels