Versions Compared

Version Old Version 104 New Version 105
Changes made by

MS

MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

Excerpt
nameIntroduction to scopes

Scope is an access list that contains a list of resources (enterprises and/or datacenters) to allow access.

You can use scopes to:

  1. Create restricted sets of resources for administrators

  2. Share resources with a group of tenants and an optional tenant hierarchy

  3. Create a tenant hierarchy for pricing, billing, and cost and usage aggregation, which is useful for resellers and large organizations

You can also control access to features and resources in the platform with privileges and allowed locations.

...

Excerpt
nameCreate a scope

You can use scopes as access lists for users, enterprises, and/or resources. You can also use them to define tenant hierarchies for accounting and billing aggregation.

Privileges: Manage scopes, Allow user to switch enterprises, Manage role and scope allowed CIDRs

To create a scope do these steps:

  1. Go to UsersScopes

  2. Click the + add button

  3. Enter the details as described in the following table

Create scope - general informationCreate scope - entities

Field

Description

Name

The name of the scope

Parent scope

To optionally add the scope to a hierarchy, select a Parent scope. We recommend that under a hierarchy with limited scopes you should not select unlimited scopes (Use all enterprises and/or Use all datacenters)

Allowed CIDRs

To optionally create a default list of network addresses from which users with this scope can access the platform, enter Allowed CIDRs. You can also set allowed CIDRs for a role. The user will inherit the role and scope CIDRs. Any allowed CIDRs set directly for the user will have priority over these inherited allowed CIDRs.

External scopes

Optional: Specify attributes of an external system to define the user groups that this scope should apply to. An example of external scopes could be an LDAP group for the user. Used in external authentication modes (e.g. openid, ldap). A user's external scopes must map to a single scope (local or global). See LDAP and Active Directory Integration and Abiquo OpenID Connect Integration

Scope entities

Field

Description

Enterprises

Enterprises to use in the scope. To automatically include all existing and future enterprises, select the options to Use all enterprises.

If this is a user's administration scope, then the user can manage resources in the list of enterprises selected. If this is a resource scope, then users can access the resources if they belong to the enterprises that are part of the scope

Datacenters

Select Datacenters to include in the scope. For scopes, datacenters can be private cloud datacenters and/or public cloud regions. To automatically include all existing and future datacenters, select the options to Use all datacenters. If this is a user's administration scope, then the user can manage resources in the list of datacenters selected. Resource scopes do not use the datacenters list

After you create a scope, you can assign it to a user, an enterprise, or a resource.

...

To create a basic scope and assign it to a tenant and the tenant's users:

  1. Create

...

  1. On the General tab, for the Default scope, select Global scope

...

  1. a scope for the tenant

    1. On the General info tab, select a parent scope, for example,

...

    1. Global scope or a reseller scope

      Create scope - general informationImage Modified

...

    1. The Enterprises list can remain empty if there will be no subsidiary enterprises.
      In the Datacenters list, select the appropriate locations (datacenters and public cloud regions) where the users will work.

      Create scope - entitiesImage Modified

...

  1. Create the tenant enterprise and on the General tab for the Default scope select the tenant's scope.
    Abiquo will automatically add the enterprise to its Default scope

    Edit enterprise basic enterpriseImage Modified

When an administrator creates users in the tenant, the platform will automatically suggest the tenant's enterprise scope for these users.

...

To create a basic administrator scope:

  1. Create a scope for the administrator

    1. On the General info tab, optionally select a parent scope, for example, the Global scope or a reseller scope

      Create scopeImage Modified

    2. Go to the Entities tab. In the Enterprises list, select the enterprises to administer

    3. In the Datacenters list, select the appropriate locations (datacenters and public cloud regions) to administer

 For example, for a Managed Service Provider in Spain, with datacenters in Madrid, Barcelona, Valencia, and Seville. The scopes could be defined as follows:

...

To share a catalog resource:

  1. Create administrator roles with the appropriate privileges to manage the resources

    • To share resources, an administrator must also be able to switch enterprises

  2. Define and create scopes as required

    • The resource scopes should contain the enterprises that will access the resource

      • The platform allows the user to work with a resource if the user is in a tenant enterprise in the resource's scopes. The platform does not check the user's scope

    • To share resources with ALL current and future tenants, use the default Global scope or create an unlimited enterprise scope

    • To allow an administrator to share resources and manage the tenants, add the tenants to the administrator's scope

    • To allow an administrator to share resources without access to the tenants, add the tenants to one or more scopes, and make the administrator's scope the parent scope

  3. Log in to the enterprise that owns the resources

    • To modify VM templates, the administrator must be in the enterprise that created the template

    • To create a new version of a VApp spec, the user must work with a VApp created from the spec in the enterprise that created the spec

  4. Edit a resource and go to Scopes

  5. Select the scopes that contain tenants who will use the resources

Notes:

  • You can share resources with your own scope and child scopes of your scope

  • Each tenant can belong to more than one scope

  • Each scope can have one parent scope only

  • The platform will only consider the enterprises in the resource scopes, not the locations

...

Assign scopes to create a reseller hierarchy

You can use a reseller hierarchy for billing, pricing, and to manage and aggregate your cloud costs and usage. To create a reseller hierarchy, assign scopes to reseller, key node, and reseller customer tenants. 

...

To define the hierarchy levels, use the Default scopes of the reseller, key node, and reseller customer enterprises.   

  1. Go to Users → Enterprises

  2. For the reseller and key node enterprises, create a scope

    1. Select an appropriate Parent scope, for example

      1. For a reseller, select the Global scope or no parent scope

      2. For a key node, select the reseller's Default scope as the parent scope

      3. For a sub-enterprise of a key node, e.g. a Department, select the key node's Default scope as the parent scope

  3. Create or edit an enterprise to make it a Reseller or Key node enterprise

  4. Set the appropriate scope as the Default scope for the enterprise. Abiquo will automatically add the enterprise to its Default scope

    • Note that if you change the default scope of an enterprise, Abiquo will not remove the enterprise from its previous scope

...

Administrators can share VM templates and VApp specs with users in scopes beneath their own Default scope in a hierarchy. Note that it is not mandatory to use resellers and key nodes in a cloud tenant hierarchy

...