In Abiquo, user scopes are administrator access lists: scopes control the cloud locations (datacenters and public cloud regions) and tenants (Abiquo enterprises) that an administrator can manage. Scopes can also control that only allow the tenants in scopes can a scope to access a resource with this scope. Abiquo uses So administrators can use resource scopes for to share virtual machine templates and virtual appliance spec blueprints. Abiquo 4.0 introduces user scopes and scope hierarchies.
User scopes
In Abiquo 4.0, administrators assign scopes to users, instead of to roles as in previous versions. To make it easier to create multiple users with scopes, tenants now have a default scope.
Abiquo 4.0 also introduces scope hierarchies to enable administrators to share resources with tenants under their tenants, but without allowing the administrators to manage all tenants.
It is important to remember that an administrator can belong to an enterprise that is not included in their administration scope. This enables the administrator to work with the resources of the enterprise as an ordinary user but not to perform administration tasks, for example, the user cannot access the Apps library to manage templates unless the enterprise is in their scope.
Manage tenants
During the upgrade, Abiquo will assign role scopes to users with that role. In previous versions, the default scope for all roles was the global scope.
To make it easier to create multiple users with the same scope, Abiquo tenants will now have a default scope that Abiquo will assign to the tenant’s users. When an administrator creates a tenant, Abiquo assigns the administrator’s scope as the enterprise default scope. And Abiquo adds the new tenant to the administrator’s scope.
When the administrator edits the new enterprise, the edit dialog will display the default scope. The administrator can change the default scope to any other scope that includes the enterprise. If an administrator changes the enterprise’s default scope, it will apply to all new users.
Manage usersyou create an enterprise it is impossible to have previously created a scope containing that enterprise. So Abiquo manages this situation by adding a new enterprise to the administrator’s scope and assigning that scope as the default for the enterprise. The administrator can later edit the enterprise and change the default scope depending on their own scope.
In the dialog to create a user, Abiquo displays the enterprise’s enterprise default scope . The administrator set another scope for the user, depending on their own scope. If the administrator has as the first element in the dropdown list. An administrator with an unlimited scope (global or enterpriseall enterprises) , the administrator can assign an unlimited scope, or any limited scope that contains the user’s enterprise.If the administrator has any scope, whereas one with a limited scope, they can only assign lesser scopes to a tenant, except for the enterprise default scope. If the administrator has a limited scope and they are editing a user with a greater scope, then they can only change the scope to the lower scopes (child scopes of their scope) or the enterprise default scope.
Manage scopes
The administrator cannot delete a scope if it is the default for an enterprise. The administrator cannot remove an enterprise from a scope if the scope is the default for an enterprise.
...
A cloud administrator can create a hierarchy of scopes for sharing resources to lower levels. Or tenants may create enterprises that are automatically added to their scope, and as a result, they are also added to the hierarchy, but not to the parent scopes.
When creating a scope, an administrator with an unlimited scope can select a parent scope and create a hierarchy of different levels of scopes. When an administrator with a limited scope creates a scope, it can only be a lesser scope.
The tenants in the child scope do not need to be included in the parent scope, if the administrator does not need to manage these tenants (e.g. edit enterprise, manage users, and so on).
For example, an enterprise may have two enterprises in scope. But the enterprise's scope may be the parent scope of other scopes.
A user with a parent scope may share resources with enterprises (tenants) included in all lower child scopes, even if these enterprises are not included in the parent scope, meaning that the parent scope enterprises cannot manage these enterprises.
A user with a lower child scope may share resources with its lower child scopes.