Versions Compared

Version Old Version 72 New Version 73
Changes made by

MS

MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt


Note
titleChanges to scopes from Abiquo 4.0
  • Now administrators assign scopes to Abiquo users. In previous versions, administrators assigned scopes to Abiquo roles and the global scope was the default
    • During the upgrade process to version 4.0, Abiquo assigns role scopes to users
  • All enterprises must now have a default scope for creating users
  • Administrators can now create optional hierarchies of scopes and share resources, such as templates and specs, with tenants at lower levels of their hierarchies


Scope concepts

...

Scope example

The following screenshot shows a scope with enterprises and a child scope

Image Removed

Scope use cases

...

Scope is an access list that contains a list of resources (enterprises and/or datacenters) to allow access.

You can use scopes to:

  1. Create restricted sets of resources for administrators
  2. Share resources with a group of tenants and an optional tenant hierarchy

A typical use case for scopes would be on a platform with resellers.

...


Create a scope

Include Page
Create a scope for users or resources
Create a scope for users or resources


...


Assign scopes

You can assign a scope to one or more entities to restrict access, share resources, or to create a hierarchy, as described here.

...


To restrict administrator access to resources, assign a scope to the administrator's user account:

  • The administrator can manage the locations (datacenters and public cloud regions) that are in their scope (e.g. add templates). An administrator can manage enterprises and users of the enterprises that are in their scope.

    Note
    titleTroubleshooting and Tips
    • The user must also have the other required permissions (privileges and allowed datacenters). 
    • A user can work in allowed datacenters (e.g. create virtual datacenters, deploy), even if the datacenters are not in their scope.


Expand

For example, a Managed Service Provider in Spain, with datacenters in Madrid, Barcelona, Valencia, and Seville. The scopes could be defined as follows:

  • User scope for datacenters:
    • An administrator for

...

    • "Spain" with a scope to access to all the Spanish datacenters

...

    • An administrator for "Eastern Spain

...

    • " with a scope to access Barcelona and Valencia

...

    • (on the east coast of Spain

...

    • )
  • User scopes for enterprises:

...

    • An administrator for Spain may have

...

    • a scope to access the top-level "Spanish

...

    • HQ" to manage its users and resources. This scope may be the parent of one or more scopes to group users for management and resource sharing

...


To share resources (templates, VApp specs) to users of other enterprises, assign one or more scopes to the resource:

  1. The scopes contain the enterprises that can access the resource
    1. The user can also select child scopes to share resources to their users

The users of the enterprises listed in the scopes can access the resource, if they have the other required permissions

Note
titleTroubleshooting and Tips
  • If there is a hierarchy, administrators can share VM templates and VApp specs with users in scopes beneath their own scope
  • Administrators cannot manage the enterprises that are not directly in their user scope
  • You can assign a user's scope to resources to share the resources with the enterprises in the scope. The platform will only consider the enterprises in the scope, not the locations
  • The platform will only check if a user's enterprise is in a resource's scope. It will not consider the user's scope to determine if they can access a resource
  • Examples of other access limitations:
    • To modify VM templates, the administrator must be in the enterprise that created the template
    • To create a new version of a VApp spec, the user must work with a VApp created from the spec in the enterprise that created the spec


...

To create a reseller hierarchy, assign the scope to an enterprise as its default scope:

  1. The parent scopes define the hierarchy levels
  2.  Each scope can have one reseller and/or one key node

The resellers and key nodes are for management and aggregation of costs and usage. Administrators can share VM templates and VApp specs with users in scopes beneath their own scope. 

  • Scope hierarchy: The administrator for Spain could also have a scope hierarchy beneath the Spain scope that includes the scopes for Eastern Spain and Central and Southern Spain and then their customers at a lower level. The administrator for Spain can only manage the users of the Spanish national organization but they can share templates and Vapp specs with tenants in the scopes at all levels of the hierarchy.

Diagram: an example of a scope hierarchy

Expand
titleClick here to show/hide the diagram

Image Removed

 

Managing Scopes

Panel
borderColor#ff9900
borderWidth1
borderStylesolid

Privilege: Manage scopes, Allow user to switch enterprises

To manage scopes, go to Users → Scopes. 

Create or Modify a Scope

To create or modify a scope do these steps:

  1. Click the add or edit button
  2. Enter the scope name
  3. Optional: to add the scope to a hierarchy, select a parent scope. We recommend that under a hierarchy with limited scopes you should not select Use all enterprises or Use all datacenters
  4. Select enterprises and datacenters to include in the scope
    • The options to Use all enterprises or Use all datacenters will automatically include new enterprises or datacenters  

Image Removed

Screenshot: an unlimited enterprises and datacenters scope.

Expand
titleClick here to show/hide the screenshot

Image Removed

...

After you create or modify a scope, you can assign it to a user or a resource.

Note
titleTroubleshooting
  • You cannot remove an enterprise from a scope that is using shared templates with that scope.
  • You cannot modify the default Global scope.
  • You cannot modify your own scope.

Delete a scope

To delete a scope, select it in the list and click the delete button.

Note
titleTroubleshooting
  • You cannot delete the default Global scope.
  • You cannot delete your own scope. 
  • You cannot delete a scope if it is in use in certain circumstances, for example, if it is the default for an enterprise, or it is assigned to a shared template that is in use by an enterprise.
  • Reseller: A reseller enterprise in the hierarchy can use partner or reseller credentials for public cloud and manage billing and pricing for their hierarchy. 

  • Key node: A key node enterprise can obtain aggregate billing and usage data for their hierarchy

  • Scope hierarchy diagram:

    Expand
    titleClick here to show/hide the

...

  • diagram

...

  • Image Added


...


Manage scopes with the API


...


Related pages