In Abiquo, user scopes are administrator access lists: scopes control the cloud locations (datacenters and public cloud regions) and tenants (Abiquo enterprises) that an administrator can manage. Scopes can also control that only tenants in scopes can access a resource with this scope. Abiquo uses resource scopes for virtual machine templates and virtual appliance spec blueprints.
In Abiquo 4.0, administrators assign scopes to users, instead of to roles as in previous versions. To make it easier to create multiple users with scopes, tenants now have a default scope.
Abiquo 4.0 also introduces scope hierarchies to enable administrators to share resources with tenants under their tenants, but without allowing the administrators to manage all tenants.
It is important to remember that an administrator can belong to an enterprise that is not included in their administration scope. This enables the administrator to work with the resources of the enterprise as an ordinary user but not to perform administration tasks, for example, the user cannot access the Apps library to manage templates unless the enterprise is in their scope.
Manage tenants
Abiquo tenants will now have a default scope that Abiquo will assign to the tenant’s users. When an administrator creates a tenant, Abiquo assigns the administrator’s scope as the enterprise default scope. And Abiquo adds the new tenant to the administrator’s scope.
When the administrator edits the new enterprise, the edit dialog will display the default scope. The administrator can change the default scope to any other scope that includes the enterprise. If an administrator changes the enterprise’s default scope, it will apply to all new users.
Manage users
In the dialog to create a user, Abiquo displays the enterprise’s default scope. The administrator set another scope for the user, depending on their own scope. If the administrator has an unlimited scope (global or enterprise), the administrator can assign an unlimited scope, or any limited scope that contains the user’s enterprise.
If the administrator has a limited scope, they can only assign lesser scopes to a tenant, except for the enterprise default scope. If the administrator has a limited scope and they are editing a user with a greater scope, then they can only change the scope to the enterprise default scope.
Manage scopes
The administrator cannot delete a scope if it is the default for an enterprise. The administrator cannot remove an enterprise from a scope if the scope is the default for an enterprise.
Scope hierarchies
Abiquo 4.0 introduces the hierarchy of scopes to enable administrators to share resources to tenants at lower levels without having them in their scope. All scopes except unlimited scopes can have a parent, which defines their position in the hierarchy.
A cloud administrator can create a hierarchy of scopes for sharing resources to lower levels. Or tenants may create enterprises that are automatically added to their scope, and as a result, they are also added to the hierarchy.
When creating a scope, an administrator with an unlimited scope can select a parent scope and create a hierarchy of different levels of scopes. When an administrator with a limited scope creates a scope, it can only be a lesser scope.
A user with a parent scope may share resources with enterprises (tenants) included in all the levels of child scopes of the parent scope. But the tenants in the child scope do not need to be included in the parent scope if the administrator does not need to manage these tenants (e.g. manage users, upload templates, and so on).