Changes to scopes from Abiquo 4.0
- Now administrators assign scopes to Abiquo users. In previous versions, administrators assigned scopes to Abiquo roles and the global scope was the default
- During the upgrade process to version 4.0, Abiquo assigns role scopes to users
- All enterprises must now have a default scope for creating users
- Administrators can now create optional hierarchies of scopes and share resources, such as templates and specs, with tenants at lower levels of their hierarchies
A Scope is an access list that contains a list of resources (enterprises and/or datacenters) to allow access.
You can use scopes to:
- Create restricted sets of resources for administrators
- Share resources with a group of tenants and an optional tenant hierarchy
- Create a tenant hierarchy for pricing, billing, and cost and usage aggregation, which is useful for resellers and large organizations
Create a scope
Scopes are access lists for users, enterprises, and/or resources. They can also define hierarchies for accounting and billing aggregation.
Privilege: Manage scopes, Allow user to switch enterprises
To create a scope do these steps:
- Go to Users → Scopes
- Click the add or edit button
- Enter the scope name
- Optional: to add the scope to a hierarchy, select a parent scope. We recommend that under a hierarchy with limited scopes you should not select Use all enterprises or Use all datacenters
- Select enterprises and datacenters to include in the scope
- To automatically include all existing and future enterprises or datacenters, select the options to Use all enterprises and/or Use all datacenters
- When a scope applies to resources, the platform only uses the Enterprises list
After you create a scope, you can assign it to a user, an enterprise, or a resource.
Assign a scope to restrict administrator access
To restrict an administrator's access to resources:
- Go to Users → Create or Edit user
- Assign a scope
The administrator can manage the locations (datacenters and public cloud regions) that are in their scope (e.g. add templates). An administrator can manage enterprises and users of the enterprises that are in their scope.
Troubleshooting and Tips
- The user must also have the other required permissions (privileges and allowed datacenters).
- A user can work in allowed datacenters (e.g. create virtual datacenters, deploy), even if the datacenters are not in their scope.
For example, a Managed Service Provider in Spain, with datacenters in Madrid, Barcelona, Valencia, and Seville. The scopes could be defined as follows:
- User scope for datacenters:
- An administrator for "Spain" with a scope to access to all the Spanish datacenters
- An administrator for "Eastern Spain" with a scope to access Barcelona and Valencia (on the east coast of Spain)
- User scopes for enterprises:
- An administrator for Spain may have a scope to access the top-level "Spanish HQ" to manage its users and resources. This scope may be the parent of one or more scopes to group users for management and resource sharing
Screenshot: an administrator with the default Global scope has access to all enterprises and datacenters.
Assign scopes to share resources
To share resources (templates, VApp specs) to users of other enterprises,
- Create scopes that contain the enterprises that will access the resource
- Edit the resource and assign one or more scopes
- You can select scopes and their child scopes to share resources to their users
The users of the enterprises listed in the scopes can access the resource, if they have the other required permissions
Troubleshooting and Tips
- If there is a hierarchy, administrators can share VM templates and VApp specs with users in scopes beneath their own scope
- Administrators cannot manage the enterprises that are not directly in their user scope
- You can assign a user's scope to resources to share the resources with the enterprises in the scope. The platform will only consider the enterprises in the scope, not the locations
- The platform will only check if a user's enterprise is in a resource's scope. It will not consider the user's scope to determine if they can access a resource
- Examples of other access limitations:
- To modify VM templates, the administrator must be in the enterprise that created the template
- To create a new version of a VApp spec, the user must work with a VApp created from the spec in the enterprise that created the spec
Assign scopes to create a reseller hierarchy
To create a reseller hierarchy for billing, pricing, and management and aggregation of costs and usage, assign scopes to reseller and key node enterprises. A key node is the main enterprise for an organization, for example, the head office.
The parent scopes and the reseller and key node enterprises define the hierarchy levels.
- Go to Users → Enterprises
- Edit an enterprise to make it a reseller or key node enterprise for its scope
- Assign the scope as the default scope for this enterprise
Administrators can share VM templates and VApp specs with users in scopes beneath their own scope.
Modify a scope
Notes about modifying scopes:
- You cannot remove an enterprise from a scope that is using shared templates with that scope
- You cannot modify the default Global scope
- You cannot modify your own scope
- In a scope hierarchy, there can only be one reseller and one key node in the scope, which is the enterprise's default scope
When a user creates a pricing model, the platform assigns the user's scope that applies to enterprises. Only users with the same enterprise scope can manage the pricing model. All users with pricing privileges can view the pricing model of their own enterprise. You cannot change the pricing scope or display it in the UI.
Manage scopes with the API