Versions Compared

Old Version 8

changes.mady.by.user MS

Saved on

compared with

New Version 9

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

A resource scope is a scope that is assigned to a resource, such as a VM template or a VApp spec, and it controls resource sharing. Resources can usually have multiple scopes that work in conjunction with other access controls. For example, for administrators these are user role privileges, enterprise allowed datacenters, and user scope.

The administrator assigns the scopes to the resource itself and Abiquo gets the list of enterprises in the scopes and allows the users of those enterprises to access the resource. If the scopes are part of a hierarchy, then an administrator can share resources by selecting child scopes that are beneath their scope in the hierarchy.

For example, for virtual machine templates, the template scopes define a list of tenants whose users can access a shared template.

Pricing scope for pricing models

Abiquo controls access to pricing models with a simple resource scope, according to these rules:

Scope concepts

Concept_______DescriptionNotes
Scope
  • A list of resources (enterprises and/or datacenters) for access control

User scope
  • The list of resources (datacenters and enterprises) that the user can view and manage.
  • The user must also have the other required permissions (privileges and allowed datacenters)

A user can deploy in allowed datacenters, even if they are not in their scope. An Administrator can manage users of the enterprises that are in their scope

Resource scope
  • The list of enterprises whose users can access the resource, if they have the other required permissions
  • Administrators select a set of scopes to share a resource with users of the enterprises listed in the scopes

Used to share VM templates and VApp specs. An administrator can select their own scope, and scopes underneath their scope in the scope hierarchy

Scope hierarchy
  • A parent scope and one or more child scopes
  • Used for sharing resources to tenants that are underneath the administrator's scope

Administrators can share VM templates and VApp specs with users in scopes beneath their own scope. But they cannot manage the enterprises that are not directly in their user scope

Global scope
  • The default scope for the cloud administrator that always includes all resources and cannot be modified

Unlimited scopes
  • The global scope
  • Use all enterprises checkbox selected - ALL current and future enterprises
  • Use all datacenters checkbox selected - ALL current and future datacenters

An unlimited scope cannot have a parent scope. It must be at the top of a scope hierarchy. An unlimited scope has new resources added automatically in its unlimited dimensions. Only a user with an unlimited scope can create an unlimited scope in the same dimensions as their scope.

Pricing scope
  • When a user creates a pricing model,

...

  • the platform assigns the user's scope for tenants

...

  • .
  • Only users with the same tenant scope

...

  • can

...

  • manage the

...

  • pricing models
  • All users with pricing privileges can view the pricing model

...

  • of their

...

  • tenant
  • You cannot change the pricing scope or display it in the UI


Scopes for VM templates and VApp specs

...

Excerpt


Info
titleChanges to scopes in 4.0

The administrator can manage shared templates and specs with scopes if they have the Allow user to switch enterprises privilege and administrator access to the resource in the enterprise that owns it. The administrator can share a template or spec with their own scope, other available scopes, or a child scope in their hierarchy.


The administrator can edit a template and add To share a template:

  1. Edit the template in the owner enterprise
  2. Add one or more available scopes

...

    • The global scope means that users from all current and future enterprises can access this template.

Image Removed

When creating or editing a spec, the administrator can add Image Added

To share a spec:

  1. Create a spec or edit a spec in the owner enterprise
  2. Add one or more available scopes. 

Image Added

Image Removed

Resource scope example

This example applies to template and spec scopes.


...

Scope hierarchy example

An example scope hierarchy may include many levels. For example, a platform owner, resellers, customers, and departments.

In this case, the platform owner may manage global administrator users in their own scope. And then they may share templates and specs with other levels, for example, resellers and customers.

If the customers create their own scope hierarchy for their departments, then customers can share resources with the departments by scope. 

 Image Added

Resource scope summary

Q: Which administrators can edit templates or specs? 

A: Administrators in the owner enterprise (creator) with permissions to administer other enterprises

Q: How can admins share resources to users of other enterprises?

  • Assign scopes
  • Abiquo reads the list of enterprises in the scopes and allows users from these enterprises to use the resources
  • Administrators can share templates with scopes in their own scope and scopes below their scope in the scope hierarchy tree