Versions Compared

Old Version 119

changes.mady.by.user MS

Saved on

compared with

New Version 120

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

  1. Create restricted sets of resources for administrators and users

  2. Share resources VM templates and configuration blueprints (VApp specs) with a group of tenants and an optional tenant hierarchy

  3. Create a tenant hierarchy for pricing, billing, and cost and usage aggregation, which is useful for resellers and large organizations

You can also control access to features and resources in the platform with privileges and allowed locations.

...

  1. Go to UsersScopes

  2. Click the + add button

  3. For General info:

    1. For the Name, we recommend that you identify the tenant, resource, or user group that the scope will apply to

    2. To add the scope to a hierarchy, select a Parent scope. We recommend that under a hierarchy with limited scopes you should not select unlimited scopes (i.e. do not select Use all enterprises and/or Use all datacenters)

    3. To specify attributes of an external system to define the user groups that this scope should apply to, enter External scopes. An example of an external scope could be an LDAP group for the user. This is for external authentication modes, such as OpenID openid and LDAP ldap. A user's external scopes must map to a single Abiquo scope (local or global). See LDAP and Active Directory Integration and Abiquo OpenID Connect Integration.

    4. To create a default list of network addresses from which users with this scope can access the platform, enter Allowed CIDRs. You can also set allowed CIDRs for a user role. A user will inherit the role and scope CIDRs. Any allowed CIDRs set directly for the user will have priority over these inherited allowed CIDRs.

      Create scope - general information

  4. For Entities:

    1. Select Enterprises to use in the scope.

      1. To automatically include all existing and future enterprises, select the option to Use all enterprises. We do not recommend this option if the parent scope is limited

      2. If you assign this scope to a user, then the user can manage resources in the list of enterprises selected

      3. If you assign this scope to a resourceVM template or a VApp spec, then users can access the resources if they belong to the enterprises that are in the scope list (or if they belong to the owner enterprise)

      4. An enterprise default scope is the default scope for users you create in the enterprise

    2. Select Datacenters (and public cloud regions) to include in the scope.

      1. To automatically include all existing and future datacenters, select the option to Use all datacenters. We do not recommend this option if the parent scope is limited

      2. If you assign this scope to a user, then the user can manage resources in the list of datacenters selected.

      3. Resource scopes Scopes for VM templates and VApp specs do not use the datacenters list

      4. An enterprise default scope is the default scope for users you create in the enterprise

        Create scope - entities

...

Another basic scope is for a key node enterprise with a group of enterprises below it. This could be a for an organization and its departments, and it could represent an AWS organization account, where you can add the AWS account for each department to a separate enterprise.

To create a basic scope and assign it to a tenant and the tenant's users:

...

  1. Create administrator roles with the appropriate privileges to manage the resources.

    • To share resources, an administrator must also have the privilege to Allow user to switch enterprises.

  2. Define and create scopes as required.

    • The resource scopes should contain the enterprises that will access the resource

      • The platform lets the work with a resource if the user is in the owner enterprise or a tenant enterprise in the resource's scopes. The platform does not check the user's scope

    • To share resources with ALL current and future tenants, use the default Global scope or create an unlimited enterprise scope

    • To allow an administrator to share resources and manage the tenants, add the tenants to the administrator's scope

    • To allow an administrator to share resources without access to the tenants, add the tenants to one or more scopes, and make the administrator's scope the parent scope.

  3. Log in to the enterprise that owns the resources.

    • To modify VM templates, the administrator must be in the enterprise that created the template

    • To create a new version of a VApp spec, the user must work with a VApp created from the spec in the enterprise that created the spec.

  4. Edit a resource and go to Scopes

  5. Select the scopes that contain tenants who will use the resources.

...

  • You can share resources with your own scope and child scopes of your scope

  • Each tenant can belong to more than one scope

  • Each scope can have one parent scope only

  • The platform will only consider the enterprises in the resource scopes, not the locations.

...

Assign scopes to create a reseller hierarchy

You can use a reseller hierarchy for billing, pricing, and to manage and aggregate your cloud costs and usage. To create a reseller hierarchy, assign scopes to reseller, key node, and reseller customer tenants. 

...