...
The concept of the scope hierarchy is flexible and its implementation is optional, because you can just create a single level with all scopes under the global scope. Also an enterprise can belong to more than one scope, which means that an administrator could create an enterprise hierarchy and then another scope for sharing templates of a specific type only with a group of tenants that will use that template.
How do I create a scope hierarchy?
An administrator with scope privileges permissions and the “Allow user to switch enterprises” privilege can create a hierarchy by assigning a parent scope to any scope except an unlimited scope. (An unlimited scope is the Global scope or a Use all enterprises or Use all datacenters scope).
What happens when I create an enterprise?
When an administrator creates a new tenant, this the administrator must set a default scope for the tenant. And the new tenant is automatically added to the administrator’s scope, so it becomes part of the existing hierarchy. Later Administrators can also assign this tenant to scopes they can access. If there is a higher-level administrator, they can move remove this tenant to another scope in a different part of the hierarchyfrom the creating administrator's scope.
Does an administrator need to have their own enterprise in scope?
An administrator can belong to an enterprise that is not included in their own scope, which means that they cannot manage some elements of this enterprise. However, But an administrator will usually have access to the Apps library, which is determined by their Apps library privileges, allowed datacenters, and datacenter scope. To share resources, such as VM templates and VApp specs, with enterprises in their child scopes, an administrator will need the “Allow user to switch enterprises” privilege.
Which users can access shared resources?
As in previous versions, all users whose enterprises are listed in the resource scopes can access a shared resource, such as a VM template or VApp spec.
Which administrators can manage shared resources?
To manage shared resources, users must have the following:
- Feature privileges (e.g. Manage virtual appliance specs, Mange VM templates in the Apps library)
- Allow user to switch enterprise privilege
- Full datacenter access (Allowed datacenter and Datacenter scope)
- For virtual appliance specs, users must be logged in to the spec enterprise
Is there any difference between administrator resource access?
All administrators that can manage access a shared resource with the appropriate privileges can edit that resource in the same way. The only difference between users with a higher or lower scope is the number of scopes they can select from. If a user with a lower scope modifies scopes, this will not affect any higher scopes that are assigned to the template.
What default access will tenant administrators have?
By default, tenant administrators do not have the Allow user to switch enterprises privilege. This means that they can only work with local resources in their own enterprise and Abiquo will not display the Scopes tab when they edit a template or spec.
Which scopes can an administrator assign or unassign from shared resources?
An administrator can manage the following scopes:
...