Page Comparison

Table of Contents

Abiquo user management has a flexible concept of roles associated with privileges. Each user is assigned a role and that role is assigned a set of privileges to grant access to different cloud features. The privileges assigned to the role define how the user can work with the resources, for example, as a user or administrator. In a complementary way, the Administration Scope of a user defines the resources (such as datacenters and enterprises) that the user can view, access and administer. You can match roles to OpenID, AD or LDAP groups for automatic user creation and role assignment.

Tip
For Abiquo API documentation of this feature, see RolesResource

Panel

borderColor	#ff9900
borderWidth	1
borderStyle	solid

Privilege: Access roles screen

To manage roles, go to Users → Roles. Global roles are available to all enterprises and the platform will display them with "(Global)" after the name. The platform will only display enterprise roles when you select the enterprise that they belong to.

...

Table of Contents

Introduction to roles

Excerpt

name	Introduction to roles

Each cloud user has a role to define how they can work with resources. Each user role has a set of privileges to allow access to different cloud features.

There are four default user roles in the system: Cloud administrator, Enterprise administrator, User, and Enterprise viewer. See Default roles. You can clone the default roles and modify them to create your own roles.

The Privileges page lists all the privileges and shows the default roles that they belong to.
The default roles are global roles so they are available to all enterprises but it is also possible to create a role that belongs to a single enterprise.

Tip

To access and manage a user role, your role must have the same privileges or more privileges than the user role. You CANNOT access or manage roles with any privileges that are not in your role.

When you select new user privileges to activate new features, select the privileges your administrator roles too, so that your reseller and tenant administrators can continue to manage your users!

Privileges are generally independent. For example, if your user role does not have the Access Infrastructure view privilege, the UI will not display the Infrastructure icon. But if your role has the Manage datacenters and View datacenter details privileges, you can use the API to access the datacenter infrastructure that you cannot access in the UI.

You can specify directory groups for user roles. When users log in, the platform will automatically create users and assign the matching roles to them. You can use LDAP, Active Directory, OpenID Connect, and SAML.

In addition to user roles, each user also has an administration scope to define the resources that a user can view, access, and administer. See Manage scopes. And each user's enterprise has a list of allowed datacenters and public cloud regions that users can work in.

For details of the Abiquo concepts of enterprises and users, see Tenants and users in the Abiquo Walkthrough.

For information about creating a reseller, see https://abiquo.atlassian.net/wiki/spaces/doc/pages/311361611/Abiquo+cloud+reseller+guide#Create-resellers.

For information about creating a tenant administrator, see Create a tenant administrator user.

...

Display roles

Panel

bgColor	#FFFAE6

Privileges: Access Roles and Scope screens

To display roles, go to Users → Roles. By default, you will see the Global roles for all enterprises (and they have (Global) after the name.
To display the enterprise roles for a specific enterprise, select the enterprise.

...

Create or modify a role

Excerpt

name	Create or modify a role

Abiquo provides a set of default roles and you can clone and modify them to create new roles.

...

See Default roles.

...

For a list of the privileges for each

...

Default Role

...

Description

...

CLOUD_ADMIN

...

role

...

ENTERPRISE_ADMIN

...

Manages configurations at enterprise level and grants access to other enterprise users. This role is for users that are responsible for an enterprise to manage their cloud services. By definition, users with this role are restricted to administering their own enterprise.

...

USER

...

Manages the virtual appliances of an enterprise. Typically, this role is for users working with the cloud service. By definition, users with this role are restricted to their own enterprise.

...

The following diagram shows the default user roles and the resources that each role can administer, in addition to those of lower roles.

Expand

title	Click here to show/hide the diagram

Image Removed

Create or modify a role

Panel

borderColor	#ff9900
borderWidth	1
borderStyle	solid

Privilege: Manage global role, Associate role with enterprise, Manage roles, Specify LDAP group, Manage scopes, see Privileges.

Panel

bgColor	#FFFAE6

Privileges: Access Roles and Scope screens, Manage roles, Manage global role

A user can only have one role, but a role can be associated with multiple OpenID, AD, or LDAP groups.

...

When you clone a role,

...

by default the new role will have

...

Copy:

...

as a prefix to its name, for example,

...

Copy: CLOUD_ADMIN

...

.

...

To create or modify a role:

Go to Users → Roles
- To clone a role, click the

...

After you create or clone the role, select the role name in the list and edit the privileges as required, then click Save.

Manage privileges

To modify a role's privileges:

To modify a local role, select the enterprise
Select a role from the Roles list
- You cannot modify the privileges of your own role. For other roles, you can only modify the privileges that are also assigned to your own role
- You cannot modify the privileges of the default CLOUD_ADMIN role
In the Privileges pane, click a checkbox beside a privilege to add or remove the privilege.
- To add all the privileges in a group, click the All privileges checkbox beside the group name
- Privileges are generally independent, for example, a user whose role does not have the "Access Infrastructure view" privilege will not be able to see the Infrastructure icon in the UI. However, if this user's role has the privileges to "Manage datacenters" and "View datacenter details", the user will be able to access these functions through the API
Save the changes by clicking Save
- Any other action outside of the Privileges pane will discard your changes, for example, clicking on another role name

Privileges table

...

Section

Div

class	landsc tinycode

GUI Label _________________	Application Tag	Privilege____________________________________	Cloud Admin	Ent Admin	Ent User	Outbound API	Ent Viewer	Info
Home privileges
List enterprises within scope	ENTERPRISE_ENUMERATE	This privilege allows a user to view the list of enterprises within scope and to view statistics for those enterprises	X
Allow user to switch enterprise	ENTERPRISE_ADMINISTER_ALL	This privilege allows a user to change to another enterprise, in order to administer it, by clicking the switch user button in the Enterprises list	X			X
Display enterprise statistics	ENTERPRISE_RESOURCE_SUMMARY_ENT	This privilege allows a user to filter statistics by enterprise to display the resources used by an enterprise in the enterprise resources panel	X	X		X	X
Display enterprise limits in statistics	ENTERPRISE_SHOW_STATS_LIMITS	This privilege allows a user to view enterprise limits in addition to resources used in the enterprise resources panel if the user has the Display enterprise statistics privilege	X	X	X
Infrastructure privileges
GUI Label _________________	Application Tag	Privilege____________________________________	Cloud Admin	Ent Admin	Ent User	Outbound API	Ent Viewer	Info
Access Infrastructure view	PHYS_DC_ENUMERATE	This privilege allows a user to access the Infrastructure view and list the physical datacenters	X			X
Display resource usage panel	PHYS_DC_RETRIEVE_RESOURCE_USAGE	This privilege allows a user to view the resource usage panel in the Infrastructure view	X			X
Manage datacenter	PHYS_DC_MANAGE	This privilege allows a user to manage datacenters (add, edit and delete). Without it, the datacenter's properties will be read only	X			X
View datacenter details	PHYS_DC_RETRIEVE_DETAILS	This privilege allows a user to go inside a datacenter and view its details (racks, physical machines, VLANs, storage and allocation rules)	X			X
Manage infrastructure elements	PHYS_DC_ALLOW_MODIFY_SERVERS	This privilege allows a user to manage infrastructure elements (add, edit and delete racks and physical machines)	X			X
Manage network elements	PHYS_DC_ALLOW_MODIFY_NETWORK	This privilege allows a user to manage network elements (add, edit and delete public VLANs)	X
Manage storage elements	PHYS_DC_ALLOW_MODIFY_STORAGE	This privilege allows a user to manage storage elements (add, edit and delete storage devices, pools, tiers and volumes)	X
Manage allocation rules	PHYS_DC_ALLOW_MODIFY_ALLOCATION	This privilege allows a user to manage allocation rules (add and delete rules)	X
Manage datacenter backup configuration	PHYS_DC_ALLOW_BACKUP_CONFIG	This privilege allows a user to manage backup configuration at datacenter level	X			X
Manage devices	MANAGE_DEVICES	This privilege allows a user to setup networking devices (Neutron)	X
Virtual datacenters privileges
GUI Label _________________	Application Tag	Privilege____________________________________	Cloud Admin	Ent Admin	Ent User	Outbound API	Ent Viewer	Info
Access virtual datacenters view	VDC_ENUMERATE	This privilege allows a user to access the Virtual Datacenters view	X	X	X	X	X
Manage virtual datacenters	VDC_MANAGE	This privilege allows a user to manage virtual datacenters (add, edit and delete). Without it, the virtual datacenter details are read only	X	X		X
Manage virtual appliances	VDC_MANAGE_VAPP	This privilege allows a user to manage virtual appliances (add, edit and delete)	X	X	X	X
Manage virtual network elements	VDC_MANAGE_NETWORK	This privilege allows a user to manage private and public VLANS (add, edit and delete)	X	X
Manage virtual storage elements	VDC_MANAGE_STORAGE	This privilege allows a user to manage storage volumes (add, edit and delete)	X	X
Manage floating IPs	MANAGE_FLOATINGIPS	This privilege allows a user to manage floating IPs (add and delete)	X	X		X
Manage firewalls	MANAGE_FIREWALLS	This privilege allows a user to manage firewalls (add, edit and delete) for virtual datacenters	X	X		X
Manage load balancers	MANAGE_LOADBALANCERS	This privilege allows a user to manage load balancers (add, edit and delete) for virtual datacenters	X	X		X
Manage virtual storage controller	VDC_MANAGE_STORAGE_CONTROLLER	This privilege allows a user to manage the controller of storage volumes	X	X	X	X
Manage public IPs	MANAGE_PUBLICIPS	This privilege allows a user to manage public IPs for private virtual datacenters	X	X	X
Virtual appliances privileges
GUI Label _________________	Application Tag	Privilege____________________________________	Cloud Admin	Ent Admin	Ent User	Outbound API	Ent Viewer	Info
Edit virtual appliance details	VAPP_CUSTOMISE_SETTINGS	This privilege allows a user to edit virtual appliance details (name, CPUs, etc.), go inside virtual appliances and view their details	X	X	X	X
Deploy and undeploy virtual appliances	VAPP_DEPLOY_UNDEPLOY	This privilege allows a user to deploy/undeploy virtual appliances	X	X	X	X
Perform virtual machine actions	VAPP_PERFORM_ACTIONS	This privilege allows a user to perform virtual machine actions (power on/off, pause, reboot, remote access)	X	X	X	X
Manage persistent templates	VAPP_CREATE_STATEFUL	This privilege allows a user to manage persistent virtual machine templates (create in VApp; create, edit and delete in virtual datacenter)	X	X	X	X
Create instance	VAPP_CREATE_INSTANCE	This privilege allows a user to create instance templates of a virtual machine within a virtual appliance	X	X	X
Manage virtual machine hard disks	MANAGE_HARD_DISKS	This privilege allows a user to access the virtual machine hard disk tab and manage hard disks (add and delete)	X
Manage layers	VAPP_MANAGE_LAYERS	This privilege allows a user to manage anti-affinity layers in virtual appliances (create, edit and delete layers)	X	X	X
Manage virtual machine backup configuration	VAPP_MANAGE_BACKUP	This privilege allows a user to access the backup configuration at virtual machine level and set the backup type and contents	X
Manage virtual machine backup schedule	VAPP_DEFINE_BACKUP_INFO	This privilege allows a user to specify an additional option for backup configuration by setting backup dates and times	X
Manage workflow tasks	WORKFLOW_OVERRIDE	This privilege allows a user to start or cancel queued tasks if workflow is enabled	X	X
Delete unknown virtual machines	VAPP_DELETE_UNKNOWN_VM	This privilege allows a user to delete virtual machines in unknown state	X
Assign firewalls to virtual machines	ASSIGN_FIREWALLS	This privilege allows a user to assign already created firewalls to virtual machines	X	X
Access persistent templates view	VAPP_STATEFUL_VIEW	This privilege allows a user to access the persistent virtual machine templates view	X	X	X
Manage virtual machine backup disks	VAPP_MANAGE_BACKUP_DISKS	This privilege allows a user to specify disks and disk backup types (snapshot and complete)	X	X
Assign load balancers	ASSIGN_LOADBALANCERS	This privilege allows a user to assign load balancers	X	X
Manage virtual machine metrics	USERS_ENABLE_DISABLE_VM_METRICS	This privilege allows a user to activate monitoring of virtual machines	X	X	X
Access virtual machine metrics	USERS_SHOW_VM_METRICS	This privilege allows a user to manage monitoring	X	X	X		X
Restore virtual machine backups	VAPP_RESTORE_BACKUP	This privilege allows a user to restore virtual machine backups	X	X
Protect/unprotect virtual machines	VM_PROTECT_ACTION	This privilege allows a user to protect/unprotect a virtual machine	X
Consume virtual appliance specs	CONSUME_VAPP_SPEC	This privilege allows a user to consume virtual appliance specs	X			X
Access alarms section in virtual machines	USERS_VM_VIEW_ALARMS	This privilege allows a user to access alarms section within a virtual machine	X
Manage alarms	USERS_VM_MANAGE_ALARMS	This privilege allows a user to manage alarms (create, edit and delete) within a virtual machine	X
Access alerts section	USERS_VAPP_VIEW_ALERTS	This privilege allows a user to access alerts section within a virtual appliance	X
Manage alerts	USERS_VAPP_MANAGE_ALERTS	This privilege allows a user to manage alerts (create, edit and delete) within a virtual appliance	X
Override virtual machine constraints	VM_EXCEED_CPU_RAM	This privilege allows a user to modify virtual machine CPU and RAM to values outside the maximum and minimum values defined in the virtual machine template	X
Edit virtual machine details	VM_EDIT_CPU_RAM	This privilege allows a user to edit virtual machine details (CPU and RAM)	X	X	X	X	X
Retrieve default VM credentials	VM_CHECK_USER_PASSWORD	This privilege allows a user to retrieve the default user and password of a virtual machine	X
Access action plans and task schedules views	VM_ACTION_PLAN_VIEW	This privilege allows a user to access action plans and task schedules views	X
Manage action plans and task schedules	VM_ACTION_PLAN_MANAGE	This privilege allows a user to manage action plans and task schedules	X
Relocate a VM to a compatible host	VM_RELOCATE	This privilege allows a user to relocate a VM to a compatible host	X					3.10.1
Manage workflow for scaling groups	SCALING_GROUP_MANAGE_WORKFLOW	This privilege allows a user to enable or disable workflow for scaling groups.	X
Attach NICs in restricted networks	VM_ATTACH_NIC	This privilege allows a user to attach NICs in restricted networks	X
Detach NICs from restricted networks	VM_DETACH_NIC	The privilege allows a user to detach NICs from restricted networks	X
Manage scaling groups	MANAGE_SCALING_GROUPS	This privilege allows a user to manage scaling groups (add, edit and delete)	X
Apps library privileges
GUI Label _________________	Application Tag	Privilege____________________________________	Cloud Admin	Ent Admin	Ent User	Outbound API	Ent Viewer	Info
Access Apps library view	APPLIB_VIEW	This privilege allows a user to access the Appliance library view	X	X		X
Manage VM templates from Apps library	APPLIB_ALLOW_MODIFY	This privilege allows a user to view the Appliance library contents, modify virtual machine templates (download from remote repositories, edit and delete) and promote instances	X	X		X
Upload virtual machine template	APPLIB_UPLOAD_IMAGE	This privilege allows a user to upload virtual machine templates from a local file into the Apps library	X	X		X
Manage repository	APPLIB_MANAGE_REPOSITORY	This privilege allows a user to manage repositories (add and delete repositories)	X	X
Download virtual machine template	APPLIB_DOWNLOAD_IMAGE	This privilege allows a user to download virtual machine templates from the Appliance library to their hard disk	X	X		X
Manage VM template categories	APPLIB_MANAGE_CATEGORIES	This privilege allows a user to manage categories of virtual machine templates that belong to their enterprise (add and delete)	X	X
Manage VM template global categories	APPLIB_MANAGE_GLOBAL_CATEGORIES	This privilege allows a user to manage categories of virtual machine templates that are common and available to all enterprises (add and delete)	X
Display datacenter capacity and free space	APPLIB_SHOW_DC_CAPACITY	This privilege allows a user to view the capacity and remaining space of a datacenter	X
Export a virtual machine template to datacenter	APPLIB_EXPORT_TO_PRIVATE	This privilege allows a user to export a virtual machine template to another private datacenter.	X
Export a virtual machine template to public cloud region	APPLIB_EXPORT_TO_PUBLIC	This privilege allows a user to export a virtual machine template to another public cloud region.	X
Manage virtual appliance specs	MANAGE_VAPP_SPEC	This privilege allows a user to manage virtual appliance specs (add and edit)	X
Download VM templates from remote repository	APPLIB_DOWNLOAD_FROM_REMOTE_REPOSITORY	This privilege allows a user to download virtual machine templates from remote repositories	X	X
Users privileges
GUI Label _________________	Application Tag	Privilege____________________________________	Cloud Admin	Ent Admin	Ent User	Outbound API	Ent Viewer	Info
Access Users view	USERS_VIEW	This privilege allows a user to access the Users view	X	X		X
Manage enterprises	USERS_MANAGE_ENTERPRISE	This privilege allows a user to manage enterprises (add, edit and delete)	X			X
Manage users	USERS_MANAGE_USERS	This privilege allows a user to manage users (add, edit and delete)	X	X		X
Manage users of all enterprises	USERS_MANAGE_OTHER_ENTERPRISES	This privilege allows a user to manage users of more than one enterprise and move users between enterprises. Without it, the Enterprise list is not shown in Users view	X			X
No VDC restriction	USERS_PROHIBIT_VDC_RESTRICTION	Normally a user within an enterprise can have a list of VDCs assigned and these will be the only VDCs that they will be able to see. Setting this privilege exempts a user from having their VDC list restricted and they will be able to see all VDCs in their enterprise	X	X		X
Access Roles screen	USERS_VIEW_PRIVILEGES	This privilege allows a user to access the Roles screen	X			X
Manage roles	USERS_MANAGE_ROLES	This privilege allows a user to manage roles (add, edit and delete roles; modify privileges assigned to roles; assign scopes to roles)	X
Associate role with enterprise	USERS_MANAGE_ROLES_OTHER_ENTERPRISES	This privilege allows a user to associate a role with any enterprise	X
Manage global role	USERS_MANAGE_SYSTEM_ROLES	This privilege allows a user to manage roles that are common and available to all enterprises, rather than being constrained to a single enterprise	X
Specify LDAP group	USERS_MANAGE_LDAP_GROUP	This privilege allows a user to associate a role with an LDAP group. When LDAP authentication is activated, a user's role will be determined by the LDAP group that they are a member of	X
Display connected users	USERS_ENUMERATE_CONNECTED	This privilege allows a user to display connected users	X
Define enterprise manager	USERS_DEFINE_AS_MANAGER	This privilege defines a user as an enterprise manager. Enterprise managers receive physical machine notification emails	X	X
Manage Chef enterprises	USERS_MANAGE_CHEF_ENTERPRISE	This privilege allows a user to enable and manage Chef for enterprises	X
Manage scopes	USERS_MANAGE_SCOPES	This privilege allows a user to manage scopes (add, edit and delete scopes)	X
Manage enterprise reserved servers	USERS_MANAGE_RESERVED_MACHINES	This privilege allows a user to manage reserved servers at enterprise level	X			X
Modify enterprise theme	USERS_MANAGE_ENTERPRISE_BRANDING	This privilege allows a user to manage enterprise branding (select a specific theme for an enterprise)	X
Allow user to push own VM metrics	USERS_PUSH_VM_METRICS	This privilege allows a user to push their own VM metrics	X	X	X
Manage provider credentials	USERS_MANAGE_CREDENTIALS	This privilege allows a user to manage provider credentials (add and delete)	X
Manage user applications	USERS_MANAGE_APPLICATIONS	This privilege allows a user to manage applications (add and delete)	X
System configuration privileges
GUI Label _________________	Application Tag	Privilege____________________________________	Cloud Admin	Ent Admin	Ent User	Outbound API	Ent Viewer	Info
Access Configuration view	SYSCONFIG_VIEW	This privilege allows a user to access the Configuration view	X			X
Modify configuration data	SYSCONFIG_ALLOW_MODIFY	This privilege allows a user to edit all system-wide configuration settings	X
Allow access to reports	SYSCONFIG_SHOW_REPORTS	This privilege allows a user to access external reports by clicking the Reports button. The button will only be visible if the 'Reports URL' system property is not empty (Configuration -> System Properties -> General -> Reports URL)	X
Pricing privileges
GUI Label _________________	Application Tag	Privilege____________________________________	Cloud Admin	Ent Admin	Ent User	Outbound API	Ent Viewer	Info
Add a cost code when editing a VM template	APPLIB_VM_COST_CODE	This privilege allows a user to select a cost code when editing a virtual machine template	X
Access Pricing view	PRICING_VIEW	This privilege allows a user to access the Pricing view	X			X
Manage pricing	PRICING_MANAGE	This privilege allows a user to manage pricing components (add, edit and delete currencies, pricing models and cost codes)	X
Events privileges
GUI Label _________________	Application Tag	Privilege____________________________________	Cloud Admin	Ent Admin	Ent User	Outbound API	Ent Viewer	Info
Display all events for current enterprise	EVENTLOG_VIEW_ENTERPRISE	This privilege allows a user to display all events related to the current enterprise	X	X	X		X
Display all events	EVENTLOG_VIEW_ALL	This privilege allows a user to display all events	X

Key to Info Column of Privileges Table

= new privilege
= changed privilege
= deprecated privilege

...

- duplicate clone button. Select the cloned role and click the pencil edit button
- To create a new role, click the + add button
Complete the dialog.
1. Enter the Name of the role. The names of global roles must be unique
  - To create a local role, select the Enterprise that the role will belong to
  - To create a global role, select the Make this role global checkbox
2. Optionally, to create a list of network addresses from which users with this role can access the platform, enter Allowed CIDRs.
  The CIDRs from a user’s role and scope will apply to the user but the allowed CIDRs of the user will have the highest priority.
3. Enter the corresponding External roles, such as the LDAP group, for the user. This is required in external authentication modes (openid, ldap).
  A user's external roles must map to a single role (local or global).
  See LDAP and Active Directory integration and Abiquo OpenID Connect integration .
  You can also set external scopes.
  - Examples of external roles for LDAP:
    - ldap_group_01
    - ldap_group_02
  - Example for OpenID:
    - id=admins,ou=group,o=qa,ou=services,dc=openam,dc=forgerock,dc=org

Image Added

After you create or clone a role, select the role name in the list and edit the privileges as required, then click Save.

...

Modify the privileges of a role

Excerpt

name	Modify the privileges of a role

To modify the privileges of a user role:

Panel
Privileges: Manage privileges

Go to Users → Roles
For a local role, select the enterprise that the role belongs to
From the Roles list select the role
In the Privileges pane, select or deselect the privileges
- To add or remove groups of privileges, click the All privileges checkbox beside the group name
- You cannot undo, but you can discard the changes
Save the changes by clicking Save
- The platform will discard your changes if you do an action outside of the Privileges pane, for example, clicking on a another role name

Note

Role troubleshooting and tips

Roles

The default CLOUD_ADMIN role has all privileges and is locked
You can access roles with ALL the same privileges or fewer privileges than your own role
- You CANNOT access roles with any privileges that are not in your role
You cannot modify your own role.

Privileges

You can only select or deselect privileges that are in your own role
Privileges are generally independent.
For example, for a user with a role without the Access Infrastructure view privilege, the Infrastructure icon does not display in the UI. However, if this user's role has the privileges to Manage datacenters and View datacenter details, the user will be able to access these functions through the API

...

Manage roles with the API

Tip

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource RolesResource.

...

Privileges table

See Privileges

...

Related pages

Manage cloud tenants: Manage enterprises
Manage users
Create action lists for users: Manage scopes

Version	Old Version 30	New Version Current
Changes made by	MS (Unlicensed)	MS (Unlicensed)
Saved on	Oct 06, 2017	Jul 27, 2023

Page Comparison

Versions Compared

Key

Introduction to roles

Display roles

Create or modify a role

Create or modify a role

Manage privileges

Privileges table

Home privileges

Infrastructure privileges

Virtual datacenters privileges

Virtual appliances privileges

Apps library privileges

Users privileges

System configuration privileges

Pricing privileges

Events privileges

Modify the privileges of a role

Manage roles with the API

Privileges table

Related pages