...
In the dialog to create a user, Abiquo displays the enterprise enterprise’s default scope as the first element in the dropdown list. An administrator with the privilege to manage all enterprises and an unlimited scope (global or all enterprises) can assign any their own scope, whereas one with a limited the enterprise’s default scope, can assign lower scopes (child scopes of their scope) or the enterprise default scope. A user without the privilege to manage all enterprises can assign their own scope or the enterprise default scope.
The administrator with scope privileges can view their own scope, and view and manage the child scopes beneath their scope in the scope hierarchy. or a lower scope in their scope hierarchy.
The administrator cannot delete a scope if it is the default for an enterprise.
Scope hierarchies
Abiquo 4.0 introduces the hierarchy of scopes to also introduces scope hierarchies that enable administrators to share resources (such as VM templates and VApp specs) to tenants at lower levels without having them in their scope. All scopes except unlimited scopes can have a parent, which defines their position in the hierarchy.
So for example, the following diagram shows a scope hierarchy. Administrators create this hierarchy by assigning a parent to each scope. The unlimited global scope is the root parent scope.
Because this is a multinational MSP, the national scopes include all the resellers in each of the national units. The national administrators will manage the national reseller users.
Each reseller will have a scope to include their enterprise customers, and each enterprise will have one for their own tenants, which may be business units, or departments, such as the development team and the web team. The users of these teams can be managed by the administrator with a global scope, for example, with automatic user creation. Or they can be managed by the IT team of the enterprise tenant, because they are within their scope.
Administrators can also create scopes for resource sharing. For example, if templates of a particular type are used by a specific tenant type, for example, web teams. In the following diagram, an administrator with scope privileges has created the Web scope, which is a list of web team tenants, and they can assign it to web templates to easily share them with all of the web teams in their hierarchy. There can be multiple branches of the hierarchy and a user can access all branches below their scope.
An administrator with scope privileges in scopes that are beneath their scopes in the hierarchy, but to manage only the tenants within their own scope.
The concept of the scope hierarchy is flexible and its implementation is optional, because you can just create a single level with all scopes under the global scope. Also an enterprise can belong to more than one scope, which means that an administrator could create an enterprise hierarchy and then another scope for sharing templates of a specific type only with a group of tenants that will use that template.
How do I create a scope hierarchy?
An administrator with scope privileges and the “Allow user to switch enterprises” privilege
can create a hierarchy by assigning a parent scope to any scope except an unlimited scope. (An unlimited scope is the Global scope or a Use all enterprises or Use all datacenters scope).
An administrator with the “Allow user to switch enterprises” privilege can view their own scope and manage child scopes beneath their own scope. What happens when I create an enterprise?
When an administrator creates a new tenant, this tenant is automatically added to the administrator’s scope, so it is also becomes part of the existing hierarchy. Later a higher-level administrator can move this tenant to another scope in a different part of the hierarchy.
It is important to remember that an Does an administrator need to have their own enterprise in scope?
An administrator can belong to an enterprise that is not included in their administration own scope. This , which means that generally, they cannot manage their own this enterprise. However, to add new users, manage credentials, and so on. But administrators can always access an administrator will usually have access to the Apps library of their own enterprise without having the enterprise in scope. This access depends on the appropriate , which is determined by their Apps library privileges, allowed datacenters, and datacenter scope. From the Apps library, administrators can also share resources with enterprises in their child scopes if they have the “Allow user to switch enterprises” privilege. . To share resources, such as VM templates and VApp specs, with enterprises in their child scopes, an administrator will need the “Allow user to switch enterprises” privilege.
Which users can access shared resources?
As in previous versions, all users whose enterprises are listed in the resource scopes can access a shared resource, such as a VM template or VApp spec.
Which administrators can manage shared resources?
To manage shared resources, users must have the following:
Feature privileges (e.g. Manage VM templates in the Apps library)
Allow user to switch enterprise privilege
Full datacenter access (Allowed datacenter and Datacenter scope)
For virtual appliance specs, users must be logged in to the spec enterprise
Is there any difference between administrator access?
All administrators that can manage a shared resource can edit that resource. The only difference between users with a higher or lower scope is the number of scopes they can select from. If a user with a lower scope modifies scopes, this will not affect any higher scopes that are assigned to the template.
What default access will tenant administrators have?
By default, tenant administrators do not have the Allow user to switch enterprises privilege. This means that they can only work with local resources in their own enterprise and Abiquo will not display the Scopes tab when they edit a template or spec.
Which scopes can an administrator assign or unassign from shared resources?
An administrator can manage the following scopes:
Own scope
Enterprise default scope
Child scopes beneath their scope in the hierarchy
The following diagram shows an example of a scope hierarchy.
The following screenshot shows an administrator that can manage two national resellers.
...
These resellers have customers, which have with their own departments, but this administrator cannot manage them. However, the national administrator can share templates with tenants at lower levels in the scope hierarchyand the administrator does not manage their users but the administrator does share templates with them.