In Abiquo, user scopes are administrator access lists: scopes . Scopes control the cloud locations (datacenters and public cloud regions) and tenants (Abiquo enterprises) that an administrator can manage. Scopes can also allow the tenants in a scope to access a resource with this scope. So administrators can use resource scopes to share virtual machine templates and virtual appliance spec blueprints. Abiquo 4.0 introduces user scopes and scope hierarchies.
User scopes
In Abiquo 4.0, administrators assign scopes to users, instead of to roles as in previous versions. During the upgrade, Abiquo will assign role scopes to users with that role. In previous versions, the default scope for all roles was the global scope. To make it easier to create multiple users with the same scope, Abiquo tenants will now have Now there is a default scope . When you create an enterprise it is impossible to have previously created a scope containing that enterprise. So Abiquo manages this situation by adding a new enterprise to the administrator’s scope and assigning that scope as the default for the enterprise. The administrator can later edit the enterprise and change the default scope depending on their own scope.
for each enterprise tenant.
Which scope can I assign to a user?
In the dialog to create a user, Abiquo displays the enterprise enterprise’s default scope as the first element in the dropdown list. An administrator with an unlimited scope (global or all enterprises) can assign any scope, whereas one with a limited scope, can assign lower scopes (child scopes of their scope) or the enterprise default scope.
Manage scopes
The administrator cannot delete a scope if it is the default for an enterprise. The administrator cannot remove an enterprise from a scope if the scope is the default for an enterprise.
A user with the default enterprise administrator role can assign the following scopes:
Own scope
The enterprise’s default scope (even if it is higher than their own scope)
An administrator with the “Allow user to switch enterprises” privilege can assign the following scopes:
Own scope
The enterprise’s default scope (even if it is higher than their own scope)
A lower scope in their scope hierarchy
What happens when I create an enterprise?
When you create an enterprise, you must add a default scope for that enterprise, which Abiquo will suggest as the scope for new users. Note that the default scope is always available for selection, even if it is above the scope of the administrator creating the user. Therefore Abiquo recommends that the default scope should be lower than or equal to the administrator’s scope. When you edit the enterprise, you can change the default scope and the new value will be available when you subsequently create users.
When you create an enterprise, Abiquo automatically adds the new enterprise to your scope so you can manage it, for example, to add it to other scopes. And a higher-level administrator can later remove it from your scope.
...
Scope hierarchies
Abiquo 4.0 introduces the hierarchy of scopes to enable administrators to share resources to tenants at lower levels without having them in their scope. All scopes except unlimited scopes can have a parent, which defines their position in the hierarchy.
A cloud administrator can create a hierarchy of scopes for sharing resources to lower levels. Or tenants may create enterprises that are automatically added to their scope, and as a result, they are also added to the hierarchy, but not to the parent scopes.
When creating a scope, an administrator with an unlimited scope can select a parent scope and create a hierarchy of different levels of scopes. When an administrator with a limited scope creates a scope, it can only be a lesser scope.
The tenants in the child scope do not need to be included in the parent scope, if the administrator does not need to manage these tenants (e.g. edit enterprise, manage users, and so on).
For example, an enterprise may have two enterprises in scope. But the enterprise's scope may be the parent scope of other scopes.
A user with a parent scope may share resources with enterprises (tenants) included in all lower child scopes, even if these enterprises are not included in the parent scope, meaning that the parent scope enterprises cannot manage these enterprises.
A user with a lower child scope may share resources with its lower child scopes.
also introduces scope hierarchies for resource sharing. A scope hierarchy is for sharing resources with related tenants without the need for the administrator to have all of these related tenants in their own scope. So administrators can share VM templates and VApp specs with tenants in child scopes beneath their own scope, but administrators manage only the tenants within their own scope.
The scope hierarchy feature is optional: you can just create a single level of scopes at the same level as the global scope as in previous versions of Abiquo. The scope hierarchy feature is also flexible, because an enterprise can belong to more than one scope, which means that an administrator could create an enterprise hierarchy for sharing, as well as more scopes for sharing templates of a specific type only with groups of tenants that will use those templates.
Which users can use shared resources?
Access to shared resources is the same as in previous versions. All users whose enterprises are listed in the scopes of a shared resource can access that resource (VM template or VApp spec).
Which users can manage shared resources?
In Abiquo v4.0 the users who can administer shared resources have changed. The criteria are as follows:
User enterprise is listed in the resource scope
Feature privileges (e.g. Manage VM templates in the Apps library)
Allow user to switch enterprise privilege (effectively manage shared resources)
Full datacenter access (User Datacenter scope)
Logged in to the owner enterprise
An administrator with sharing permissions and unlimited scope can manage all scopes. An administrator with a limited scope can assign the following scopes:
Own scope
Child scopes beneath their scope in the hierarchy
Enterprise default scope
To give an example of the tenant administrator, by default, tenant administrators do not have the Allow user to switch enterprises privilege. This means that they can only work with local resources in their own enterprise and Abiquo will not display the Scopes tab when they edit a template or spec.
How do I create a scope hierarchy?
An administrator with scope privileges and the “Allow user to switch enterprises” privilege can create a hierarchy by assigning a parent scope to any scope except an unlimited scope. An unlimited scope is the Global scope or a Use all enterprises or Use all datacenters scope.
The following diagram shows an example of a scope hierarchy.
...
For an administrator that can manage two resellers called 4x and 5x.
These resellers have customers, with their own departments, and the administrator does not manage their users but the administrator does share templates with them.
...
Does an administrator need to have their own enterprise in scope?
An administrator can belong to an enterprise that is not included in their own scope, which means that they cannot manage some elements of this enterprise, eg. they cannot create users. But an administrator will usually have access to the Apps library, which is determined by their Apps library privileges, allowed datacenters, and datacenter scope. And the administrator will be able to administer templates and specs when their enterprise is the owner of the resource. To share resources and manage shared resources, such as VM templates and VApp specs, with enterprises in their child scopes, an administrator will need access to the owner enterprise and the “Allow user to switch enterprises” privilege.
Related pages: