In Abiquo, user scopes are administrator access lists: scopes . Scopes control the cloud locations (datacenters and public cloud regions) and tenants (Abiquo enterprises) that an administrator can manage. Scopes can also allow the tenants in a scope to access a resource with this scope. So administrators can use resource scopes to share virtual machine templates and virtual appliance spec blueprints. Abiquo 4.0 introduces user scopes and scope hierarchies.
...
In the dialog to create a user, Abiquo displays the enterprise default scope as the first element in the dropdown list. An administrator with the privilege to manage all enterprises and an unlimited scope (global or all enterprises) can assign any scope, whereas one with a limited scope, can assign lower scopes (child scopes of their scope) or the enterprise default scope.
Manage scopes
The administrator cannot delete a scope if it is the default for an enterprise. The administrator cannot remove an enterprise from a scope if the scope A user without the privilege to manage all enterprises can assign their own scope or the enterprise default scope.
The administrator with scope privileges can view their own scope, and view and manage the child scopes beneath their scope in the scope hierarchy. The administrator cannot delete a scope if it is the default for an enterprise.
Scope hierarchies
Abiquo 4.0 introduces the hierarchy of scopes to enable administrators to share resources to tenants at lower levels without having them in their scope. All scopes except unlimited scopes can have a parent, which defines their position in the hierarchy.
So for example, the following diagram shows a scope hierarchy. Administrators create this hierarchy by assigning a parent to each scope. The unlimited global scope is the root parent scope.
Because this is a multinational MSP, the national scopes include all the resellers in each of the national units. The national administrators will manage the national reseller users.
A cloud administrator can create a hierarchy of scopes for sharing resources to lower levels. Or tenants may create enterprises that are automatically added to their scope, and as a result, they are also added to the hierarchy, but not to the parent scopes.
When creating a scope, an administrator with an unlimited scope can select a parent scope and create a hierarchy of different levels of scopes. When an administrator with a limited scope creates a scope, it can only be a lesser scope.
The tenants in the child scope do not need to be included in the parent scope, if the administrator does not need to manage these tenants (e.g. edit enterprise, manage users, and so on).
For example, an enterprise may have two enterprises in scope. But the enterprise's scope may be the parent scope of other scopes.
A user with a parent scope may share resources with enterprises (tenants) included in all lower child scopes, even if these enterprises are not included in the parent scope, meaning that the parent scope enterprises cannot manage these enterprises.
A user with a lower child scope may share resources with its lower child scopes.
Each reseller will have a scope to include their enterprise customers, and each enterprise will have one for their own tenants, which may be business units, or departments, such as the development team and the web team. The users of these teams can be managed by the administrator with a global scope, for example, with automatic user creation. Or they can be managed by the IT team of the enterprise tenant, because they are within their scope.
Administrators can also create scopes for resource sharing. For example, if templates of a particular type are used by a specific tenant type, for example, web teams. In the following diagram, an administrator with scope privileges has created the Web scope, which is a list of web team tenants, and they can assign it to web templates to easily share them with all of the web teams in their hierarchy. There can be multiple branches of the hierarchy and a user can access all branches below their scope.
An administrator with scope privileges can create a hierarchy by assigning a parent scope to any scope except an unlimited scope (Global scope or Use all enterprises or Use all datacenters scope).
An administrator with the “Allow user to switch enterprises” privilege can view their own scope and manage child scopes beneath their own scope. When an administrator creates a new tenant, this tenant is automatically added to the administrator’s scope, so it is also part of the existing hierarchy. Later a higher-level administrator can move this tenant to another scope in a different part of the hierarchy.
It is important to remember that an administrator can belong to an enterprise that is not included in their administration scope. This means that generally, they cannot manage their own enterprise, to add new users, manage credentials, and so on. But administrators can always access the Apps library of their own enterprise without having the enterprise in scope. This access depends on the appropriate privileges, allowed datacenters, and datacenter scope. From the Apps library, administrators can also share resources with enterprises in their child scopes if they have the “Allow user to switch enterprises” privilege.
The following screenshot shows an administrator that can manage two national resellers.
These resellers have customers, which have departments, but this administrator cannot manage them. However, the national administrator can share templates with tenants at lower levels in the scope hierarchy.