Table of Contents |
---|
Introduction to scopes
A scope is an access list that contains , which is a list of resources (enterprises and/or datacenters) to allow or restrict access.
You can use scopes to:
Create restricted sets of resources for administrators and users
Share VM templates and configuration blueprints (VApp specs) with a group of tenants and an optional tenant hierarchy, which can be in a tenant hierarchy
Restrict an enterprise to a set of script templates
Create a tenant hierarchy for pricing, billing, and cost and usage aggregation, which is useful for resellers and large organizations
You Administrators also control access to features and resources in the platform with privileges and allowed locations.
...
Go to Users → Scopes
Click the + add button
For General info:
For the Name, we recommend that you identify the tenant, resource, or user group that the scope will apply to
To add the scope to a hierarchy, select a Parent scope.
To specify attributes of an external system to define the user groups that this scope should apply to, enter External scopes. An example of an external scope could be an LDAP group for the user. This is for external authentication modes, such as
openid
andldap
. A user's external scopes must map to a single Abiquo scope (local or global). See LDAP and Active Directory Integration and Abiquo OpenID Connect Integration.To create a default list of network addresses from which users with this scope can access the platform, enter Allowed CIDRs. You can also set allowed CIDRs for a user role. A user will inherit the role and scope CIDRs. Any allowed CIDRs set directly for the user will have priority over these inherited allowed CIDRs.
For Entities:
Select Enterprises to use in the scope.
To automatically include all existing and future enterprises, select the option to Use all enterprises. We do not recommend this option if the parent scope is limitedIf you assign this scope to a user, then the user can manage resources in the list of enterprises selected
If you assign this scope to a VM template or a VApp spec, then users can access the resources if they belong to the enterprises that are in the scope list (or if they belong to the owner enterprise)
If you assign this scope to one or more script template/s, then users in the enterprises in this scope can only access the set of script templates with the scope selected
An enterprise default scope is the default scope for users you create in the enterprise
Select Datacenters (and public cloud regions) to include in the scope.
To automatically include all existing and future datacenters, select the option to Use all datacenters. We do not recommend this option if the parent scope is limitedIf you assign this scope to a user, then the user can manage resources in the list of datacenters selected.
Scopes for VM templates and VApp specs do not use the datacenters list
Scopes for script templates do not use the datacenters list
An enterprise default scope is the default scope for users you create in the enterprise
After you create a scope, you can assign it to a user, an enterprise, or a resource.
...
Create a scope for the tenant
On the General info tab, select a parent scope, for example,
Global scope
or a reseller scopeIn the Datacenters list, select the appropriate locations (datacenters and public cloud regions) where the users will work.
Create the tenant enterprise and on the General tab for the Default scope select the tenant's scope.
Abiquo will automatically add the enterprise to its Default scope
When an administrator creates users in the tenant, the platform will automatically suggest the tenant's enterprise scope for these users.
If you also assign this scope to an enterprise administrator in this tenant, they will be able to manage the tenant's users only.
...
Create a scope for an administrator
...
Create a scope for the administrator
On the General info tab, optionally select a parent scope, for example, the Global scope or a reseller scope
Go to the Entities tab. In the Enterprises list, select the enterprises to administer
In the Datacenters list, select the appropriate locations (datacenters and public cloud regions) to administer
For example, for a Managed Service Provider in Spain, with datacenters in Madrid, Barcelona, Valencia, and Seville. The scopes could be defined as follows:
...
If enterprises are in a child scope, the administrator can share catalogue resources with them, even if they cannot administer their users.
...
Create a scope to share resources such as VM templates
The resources in the catalogue Catalogue include images (VM templates) and , blueprints (VApp specs), and VM bootstrap scripts (script templates).
You may wish to can create and maintain a group of core resources, and share these them with many tenants.
To share a catalogue resource:
Create In your administrator roles with the appropriate privileges to manage the resources.
To share resources, an administrator must also have, add the privilege to
Allow user to switch enterprises
.Define and create scopes as required.
The resource scopes should contain the enterprisesIn your administrator user scopes or their scope hierarchies, add the tenants that will access
the resourceThe platform lets the work with a resource if the user is in the owner enterprise or a tenant enterprise in the resource's scopes. The platform does not check the user's scopethe resources, and the locations of the resources
You can use an scope, such as a reseller scope with a hierarchy, or you can create a new scope to share resources with a group of tenants. In this scope, in the Enterprises list, select enterprises to give them access to the resource.
To share resources with ALL current and future tenants, use the default
Global scope
or create an unlimited enterprise scopeTo allow an administrator to share resources and manage the tenants, add the tenants to the administrator's scopeTo allow an administrator to share resources without access to the tenants, add the tenants to one or more scopes, and make the administrator's scope the parent scope.
Log in to the enterprise that owns the resources.
To modify VM templates or script templates, the administrator must be in the enterprise that created the templateresource
To create a new version of a VApp spec, the user must work with a VApp created from the spec in the enterprise that created the spec.
Edit a the resource and go to Scopes
Select the scopes that contain tenants who will use the resources.
...
You can share resources with your own scope and child scopes of your scope
Each tenant can belong to more than one scope
Each scope can have one parent scope only
The platform will only consider the enterprises in the resource scopes, not the locations.
...
Assign scopes to create a reseller hierarchy
You can use a reseller hierarchy for billing, pricing, and to manage and aggregate your cloud costs and usage. To create a reseller hierarchy, assign scopes to reseller, key node, and reseller customer tenants.
...
Basic scope hierarchy: The administrator for Spain could also have a scope hierarchy beneath the
Spain
scope that includes the scopes forEastern Spain
andCentral Spain
andSouthern Spain
and then their customers at a lower level. The administrator forSpain
can only manage the users of the Spanish national organization but they can share templates and VApp specs with tenants in the scopes at all levels of the hierarchy.
...
Search and filter scopes
...
Manage scopes with the API
Tip |
---|
API Documentation For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource ScopesResource. |
...