Abiquo Documentation Cookies Policy

Our Documentation website uses cookies to improve your experience. Please visit our Cookie Policy page for more information about cookies and how we use them.

Abiquo 4.7

Skip to end of metadata
Go to start of metadata

Manage scopes page

Changes to scopes from Abiquo 4.0

  • Now administrators assign scopes to Abiquo users. In previous versions, administrators assigned scopes to Abiquo roles and the global scope was the default
    • During the upgrade process to version 4.0, Abiquo assigns role scopes to users
  • All enterprises must now have a default scope for creating users
  • Administrators can now create optional hierarchies of scopes and share resources, such as templates and specs, with tenants at lower levels of their hierarchies

Scope concepts

A Scope is an access list that contains a list of resources (enterprises and/or datacenters) to allow access.

You can use scopes to:

  1. Create restricted sets of resources for administrators
  2. Share resources with a group of tenants and an optional tenant hierarchy

So a typical use case for scopes would be on a platform with resellers.

Create a restricted set of resources for administrators

To create an administrator that can view and manage a restricted set of a resources:

  1. Create a scope and select the appropriate resources
  2. Assign the scope to the user

The user can manage the locations (datacenters and public cloud regions) that are in their scope (e.g. add templates). An administrator can manage enterprises and users of the enterprises that are in their scope.

Troubleshooting and Tips

  • The user must also have the other required permissions (privileges and allowed datacenters). 
  • A user can work in allowed datacenters (e.g. create virtual datacenters, deploy), even if the datacenters are not in their scope.

Share resources with a group of tenants and an optional tenant hierarchy

To share a resource (such as a VM template or VApp spec) with a group of tenants:

  1. Create scopes
    1. Select the enterprises that can access the resource
    2. Optionally select a parent scope to create a hierarchy
  2. Assign the scopes to the resource

The users of the enterprises listed in the scopes can access the resource, if they have the other required permissions

Troubleshooting and Tips

  • Administrators can share VM templates and VApp specs with users in scopes beneath their own scope
  • Administrators cannot manage the enterprises that are not directly in their user scope
  • You can assign a user's scope to resources to share the resources with the enterprises in the scope. The platform will only consider the enterprises in the scope, not the locations
  • The platform will only check if a user's enterprise is in a resource's scope. It will not consider the user's scope to determine if they can access a resource
  • Examples of other access limitations:
    • To modify VM templates, the administrator must be in the enterprise that created the template
    • To create a new version of a VApp spec, the user must work with a VApp created from the spec in the enterprise that created the spec

Unlimited scope types

The Global scope is the default scope for the cloud administrator that always includes all resources and you cannot modify it. 

You can also create unlimited scopes, that will allow all current and future enterprises and/or all current and future locations. An unlimited scope has new resources added automatically in its unlimited dimensions. Only a user with an unlimited scope can create an unlimited scope in the same dimensions as their scope.

Pricing scopes

When a user creates a pricing model, the platform assigns the user's scope for tenants. Only users with the same tenant scope can manage the pricing model. All users with pricing privileges can view the pricing model of their tenant. You cannot change the pricing scope or display it in the UI

Scope example

The following screenshot shows a scope with enterprises and a child scope

Scope use cases

A global managed service provider could create a scope for country or region. For example, in Spain, with datacenters in Madrid, Barcelona, Valencia and Seville.

  • User scope for datacenters: An administrator for Spain would have access to all the Spanish datacenters, but the administrator for Eastern Spain would only have access to Barcelona and Valencia, which are on the east coast of Spain.
  • User scopes for enterprises: The administrator for Spain may have scope for Spain that only includes the top-level Spanish national organization to manage its users and resources.
  • Scope hierarchy: The administrator for Spain could also have a scope hierarchy beneath the Spain scope that includes the scopes for Eastern Spain and Central and Southern Spain and then their customers at a lower level. The administrator for Spain can only manage the users of the Spanish national organization but they can share templates and Vapp specs with tenants in the scopes at all levels of the hierarchy.

Diagram: an example of a scope hierarchy

 Click here to show/hide the diagram


Managing Scopes

Privilege: Manage scopes, Allow user to switch enterprises

To manage scopes, go to Users → Scopes. 

Create or Modify a Scope

To create or modify a scope do these steps:

  1. Click the add or edit button
  2. Enter the scope name
  3. Optional: to add the scope to a hierarchy, select a parent scope. We recommend that under a hierarchy with limited scopes you should not select Use all enterprises or Use all datacenters
  4. Select enterprises and datacenters to include in the scope
    • The options to Use all enterprises or Use all datacenters will automatically include new enterprises or datacenters  

Screenshot: an unlimited enterprises and datacenters scope.

 Click here to show/hide the screenshot

To change an unlimited scope to a limited scope, first unselect the Select all checkbox, then select individual resources. 

After you create or modify a scope, you can assign it to a user or a resource.


  • You cannot remove an enterprise from a scope that is using shared templates with that scope.
  • You cannot modify the default Global scope.
  • You cannot modify your own scope.

Delete a scope

To delete a scope, select it in the list and click the delete button.


  • You cannot delete the default Global scope.
  • You cannot delete your own scope. 
  • You cannot delete a scope if it is in use in certain circumstances, for example, if it is the default for an enterprise, or it is assigned to a shared template that is in use by an enterprise.

 Click here to show/hide the screenshot

Manage scopes with the API

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource ScopesResource.

Related pages

  • No labels