Versions Compared

Version Old Version 42 New Version Current
Changes made by

MS (Unlicensed)

MS (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

To define how a user can work with resources, each user has a role with a group of privileges that allow access to different cloud features. You can create roles for each group of users such as cloud administrators, resellers, tenant administrators, standard users, and so on.

...

Table of Contents

Introduction to roles

Excerpt
nameIntroduction to roles

Each cloud user has a role to define how they can work with resources. Each user role has a set of privileges to allow access to different cloud features.

There are four default user roles in the system: Cloud administrator, Enterprise administrator, User, and Enterprise viewer. See Default roles. You can clone the default roles and modify them to create your own roles.

The Privileges page lists all the privileges and shows the default roles that they belong to. 
The default roles are global roles so they are available to all enterprises but it is also possible to create a role that belongs to a single enterprise.

Tip

To access and manage a user role, your role must have the same privileges or more privileges than the user role. You CANNOT access or manage roles with any privileges that are not in your role.

When you select new user privileges to activate new features, select the privileges your administrator roles too, so that your reseller and tenant administrators can continue to manage your users!

Privileges are generally independent. For example, if your user role does not have the Access Infrastructure view privilege, the UI will not display the Infrastructure icon. But if your role has the Manage datacenters and View datacenter details privileges, you can use the API to access the datacenter infrastructure that you cannot access in the UI.

You can specify directory groups for user roles. When users log in, the platform will automatically create users and assign the matching roles to them. You can use LDAP, Active Directory, OpenID Connect, and SAML.

In addition to user roles, each user also has an administration scope to define the resources that a user can view, access, and administer

...

. See Manage scopes. And

...

each user's enterprise has a list of allowed datacenters and public cloud regions that users can work in.

You can match user roles to OpenID, AD, or LDAP groups and when the platform will automatically create users and assign them the matching roles.

...

For details of the Abiquo concepts of enterprises and users, see 

...

Tenants and users in the Abiquo Walkthrough. 

Tip

For Abiquo API documentation of this feature, see RolesResource  

Panel
borderColor#ff9900
borderWidth1
borderStylesolid

Privilege: Access roles screen

...

For information about creating a reseller, see https://abiquo.atlassian.net/wiki/spaces/doc/pages/311361611/Abiquo+cloud+reseller+guide#Create-resellers.

For information about creating a tenant administrator, see Create a tenant administrator user.

...

Display roles

Panel
bgColor#FFFAE6

Privileges: Access Roles and Scope screens

To display roles, go to Users → Roles → Roles. By default, you will see the Global roles that are available to for all enterprises and the platform will display them with "(and they have (Global)" after the name.
To display the Enterprise enterprise roles that belong to for a specific enterprise, select the enterprise.Image Removed

...

...

Create or modify a role

Excerpt
nameCreate or modify a role

Abiquo provides a set of default roles and you can clone and modify them to create new roles.

...

 See Default roles.

...

For a list of the privileges for each

...

Default Role

...

Description

...

CLOUD_ADMIN

...

role

...

ENTERPRISE_ADMIN

...

Manages configurations at enterprise level and grants access to other enterprise users. This role is for users that are responsible for an enterprise to manage their cloud services. By definition, users with this role are restricted to administering their own enterprise.

...

USER

...

Manages the virtual appliances of an enterprise. Typically, this role is for users working with the cloud service. By definition, users with this role are restricted to their own enterprise.

...

Create or modify a role

Panel
borderColor#ff9900
borderWidth1
borderStylesolid

Privilege: Manage global role, Associate role with enterprise, Manage roles, Manage scopes, see Privileges.

Panel
bgColor#FFFAE6

Privileges: Access Roles and Scope screens, Manage roles, Manage global role

A user can only have one role, but a role can be associated with multiple OpenID, AD, or LDAP groups.

...

 

When you clone a role,

...

by default the new role will have

...

Copy:

...

as a prefix to its name, for example,

...

Copy: CLOUD_ADMIN

...

.

To create or modify a role:

  1. Go to UsersRoles

    • To clone a role, click the

...

After you create or clone the role, select the role name in the list and edit the privileges as required, then click Save.

Manage privileges

To modify a role's privileges:

  1. To modify a local role, select the enterprise
  2. Select a role from the Roles list
    • You cannot modify the privileges of your own role. For other roles, you can only modify the privileges that are also assigned to your own role
    • You cannot modify the privileges of the default CLOUD_ADMIN role
  3. In the Privileges pane, click a checkbox beside a privilege to add or remove the privilege. 
    • To add all the privileges in a group, click the All privileges checkbox beside the group name
    • Privileges are generally independent, for example, a user whose role does not have the "Access Infrastructure view" privilege will not be able to see the Infrastructure icon in the UI. However, if this user's role has the privileges to "Manage datacenters" and "View datacenter details", the user will be able to access these functions through the API
  4. Save the changes by clicking Save
    • Any other action outside of the Privileges pane will discard your changes, for example, clicking on another role name 
Privileges table
Info
titleChanges to privileges

See Changes to privileges

...

classlandsc tinycode

...

Home privileges

...

GUI Label _________________

...

Application Tag

...

Privilege____________________________________

...

Cloud Admin

...

Ent Admin

...

Ent User

...

Outbound API

...

Ent Viewer

...

Info

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

Infrastructure privileges

...

GUI Label _________________

...

Application Tag

...

Privilege____________________________________

...

Cloud Admin

...

Ent Admin

...

Ent User

...

Outbound API

...

Ent Viewer

...

Info

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

Virtual datacenters privileges

...

GUI Label _________________

...

Application Tag

...

Privilege____________________________________

...

Cloud Admin

...

Ent Admin

...

Ent User

...

Outbound API

...

Ent Viewer

...

Info

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

Virtual appliances privileges

...

GUI Label _________________

...

Application Tag

...

Privilege____________________________________

...

Cloud Admin

...

Ent Admin

...

Ent User

...

Outbound API

...

Ent Viewer

...

Info

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

Apps library privileges

...

GUI Label _________________

...

Application Tag

...

Privilege____________________________________

...

Cloud Admin

...

Ent Admin

...

Ent User

...

Outbound API

...

Ent Viewer

...

Info

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

Users privileges

...

GUI Label _________________

...

Application Tag

...

Privilege____________________________________

...

Cloud Admin

...

Ent Admin

...

Ent User

...

Outbound API

...

Ent Viewer

...

Info

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

System configuration privileges

...

GUI Label _________________

...

Application Tag

...

Privilege____________________________________

...

Cloud Admin

...

Ent Admin

...

Ent User

...

Outbound API

...

Ent Viewer

...

Info

...

X

...

X

...

X

...

X

...

Prcing privileges

...

GUI Label _________________

...

Application Tag

...

Privilege____________________________________

...

Cloud Admin

...

Ent Admin

...

Ent User

...

Outbound API

...

Ent Viewer

...

Info

...

X

...

X

...

X

...

X

...

Events privileges

...

GUI Label _________________

...

Application Tag

...

Privilege____________________________________

...

Cloud Admin

...

Ent Admin

...

Ent User

...

Outbound API

...

Ent Viewer

...

Info

...

X

...

X

...

X

...

X

...

X

...

Control privileges

...

GUI Label _________________

...

Application Tag

...

Privilege____________________________________

...

Cloud Admin

...

Ent Admin

...

Ent User

...

Outbound API

...

Ent Viewer

...

Info

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

X

...

Key to Info Column of Privileges Table

(star) = new privilege
(warning) = changed privilege
(minus) = deprecated privilege

Related pages

...

    • duplicate clone button. Select the cloned role and click the pencil edit button

    • To create a new role, click the + add button

  2. Complete the dialog.

    1. Enter the Name of the role. The names of global roles must be unique

      • To create a local role, select the Enterprise that the role will belong to

      • To create a global role, select the Make this role global checkbox

    2. Optionally, to create a list of network addresses from which users with this role can access the platform, enter Allowed CIDRs.
      The CIDRs from a user’s role and scope will apply to the user but the allowed CIDRs of the user will have the highest priority.

    3. Enter the corresponding External roles, such as the LDAP group, for the user. This is required in external authentication modes (openid, ldap).
      A user's external roles must map to a single role (local or global).
      See LDAP and Active Directory integration and Abiquo OpenID Connect integration .
      You can also set external scopes.

      • Examples of external roles for LDAP:

        • ldap_group_01

        • ldap_group_02

      • Example for OpenID:

        • id=admins,ou=group,o=qa,ou=services,dc=openam,dc=forgerock,dc=org

Create a role and set external rolesImage Added

After you create or clone a role, select the role name in the list and edit the privileges as required, then click Save.

...

Modify the privileges of a role

Excerpt
nameModify the privileges of a role

To modify the privileges of a user role:

Panel

Privileges: Manage privileges

  1. Go to Users → Roles

  2. For a local role, select the enterprise that the role belongs to

  3. From the Roles list select the role

  4. In the Privileges pane, select or deselect the privileges 

    • To add or remove groups of privileges, click the All privileges checkbox beside the group name

    • You cannot undo, but you can discard the changes

  5. Save the changes by clicking Save

    • (warning) The platform will discard your changes if you do an action outside of the Privileges pane, for example, clicking on a another role name

Note

Role troubleshooting and tips

Roles

  • The default CLOUD_ADMIN role has all privileges and is locked

  • You can access roles with ALL the same privileges or fewer privileges than your own role

    • You CANNOT access roles with any privileges that are not in your role

  • You cannot modify your own role.

Privileges

  • You can only select or deselect privileges that are in your own role

  • Privileges are generally independent.
    For example, for a user with a role without the Access Infrastructure view privilege, the Infrastructure icon does not display in the UI. However, if this user's role has the privileges to Manage datacenters and View datacenter details, the user will be able to access these functions through the API

...

Manage roles with the API

Tip

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource RolesResource.

...

Privileges table

See Privileges

...

Related pages