...
A user with the default enterprise administrator role can assign the following scopes:
Own scope
The enterprise’s default scope (even if it is higher than their own scope)
An administrator with the “Allow user to switch enterprises” privilege can assign the following scopes:
Own scope
The enterprise’s default scope (even if it is higher than their own scope)
A lower scope in their scope hierarchy
What happens when I create an enterprise?
When you create an enterprise, you must add a default scope for that enterprise, which Abiquo will suggest as the scope for new users. Note that the default scope is always available for selection, even if it is higher than above the scope of the administrator creating the user. Therefore Abiquo recommends that the default scope should be lower than or equal to the administrator’s scope. When you edit the enterprise, you can change the default scope and the new value will be available when you subsequently create users.
When you create an enterprise, Abiquo automatically adds the new enterprise to your scope so you can manage it, for example, to add it to other scopes. And a higher-level administrator can later remove it from your scope.
...
Scope hierarchies
Abiquo 4.0 also introduces scope hierarchies for resource sharing. A scope hierarchy is for sharing resources with related tenants without the need for the administrator to have all of these related tenants in their own scope. So administrators can share VM templates and VApp specs with tenants in child scopes beneath their own scope, but administrators manage only the tenants within their own scope.
The scope hierarchy feature is optional: you can just create a single level of scopes at the same level as the global scope as in previous versions of Abiquo. The scope hiearchy hierarchy feature is also flexible, because an enterprise can belong to more than one scope, which means that an administrator could create an enterprise hierarchy for sharing, as well as more scopes for sharing templates of a specific type only with groups of tenants that will use those templates.
...
In Abiquo v4.0 the users who can administer shared resources have changed. The first criteria is that the user has access to the shared resource, i.e. their criteria are as follows:
User enterprise is listed in the
...
resource scope
Feature privileges (e.g. Manage VM templates in the Apps library)
Allow user to switch enterprise privilege (effectively manage shared resources)
Full datacenter access (
Allowed datacenter andUser Datacenter scope)
- For virtual appliance specs, users must be logged
Logged in to the
spec enterprise
The key privilege for managing shared resources is the Allow user to switch enterprise privilege. All administrators that can manage a shared resource can manage that resource fully, e.g. edit, share, delete. The only difference between users with a higher or lower scope is the number of scopes they can select from. If a user with a lower scope modifies scopes, this will not affect any higher scopes that are assigned to the template.
owner enterprise
An administrator with sharing permissions and unlimited scope can manage all scopes. An administrator with a limited scope can assign the following scopes:
Own scope
Child scopes beneath their scope in the hierarchy
Enterprise default scope
To give an example of the tenant administrator, by default, tenant administrators do not have the Allow user to switch enterprises privilege. This means that they can only work with local resources in their own enterprise and Abiquo will not display the Scopes tab when they edit a template or spec.
...
An administrator with scope privileges and the “Allow user to switch enterprises” privilege
can create a hierarchy by assigning a parent scope to any scope except an unlimited scope. An unlimited scope is the Global scope or a Use all enterprises or Use all datacenters scope.
The following diagram shows an example of a scope hierarchy.
...
For an administrator that can manage two national resellers called 4x and 5x.
These resellers have customers, with their own departments, and the administrator does not manage their users but the administrator does share templates with them.
...
Does an administrator need to have their own enterprise in scope?
An administrator can belong to an enterprise that is not included in their own scope, which means that they cannot manage some elements of this enterprise, eg. they cannot create users. But an administrator will usually have access to the Apps library, which is determined by their Apps library privileges, allowed datacenters, and datacenter scope. And the administrator will have access be able to templates, which is determined by their enterprise being listed in the template’s scope, or access to specs, which is determined by their enterprise being administer templates and specs when their enterprise is the owner of the specresource. To share resources and manage shared resources, such as VM templates and VApp specs, with enterprises in their child scopes, an administrator will need access to the resources owner enterprise and the “Allow user to switch enterprises” privilege.
Related pages:
- Scopes
- Templates
- Virtual Appliance Specs