Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

In Abiquo, user scopes are administrator access lists. Scopes control the cloud locations (datacenters and public cloud regions) and tenants (Abiquo enterprises) that an administrator can manage. Scopes can also allow the tenants in a scope to access a resource with this scope. So administrators can use resource scopes to share virtual machine templates and virtual appliance spec blueprints. Abiquo 4.0 introduces user scopes and scope hierarchies. 

User scopes

In Abiquo 4.0, administrators assign scopes to users, instead of to roles as in previous versions. During the upgrade, Abiquo will assign role scopes to users with that role. In previous versions, the default scope for all roles was the global scope, but now the administrator must supply a scope for each user.

To make it easier to create multiple users with the same scope, Abiquo tenants will now have a default scope. When you create an enterprise it is impossible to have previously created a scope containing that enterprise. So Abiquo manages this situation by adding a new enterprise to the administrator’s scope and assigning that scope as the default for the enterprise. The administrator can later edit the enterprise and change the default scope depending on their own scope.

In the dialog to create a user, Abiquo displays the enterprise’s default scope as the first element in the dropdown list. An administrator with a global scope can assign any scope. Another administrator can assign their own scope, the enterprise’s default scope, or a lower scope in their hierarchy.

The administrator cannot delete a scope if it is the default for an enterprise. 

Scope hierarchies

Abiquo 4.0 also introduces scope hierarchies that enable administrators to share resources (such as VM templates and VApp specs) to tenants in scopes that are beneath their scopes in the hierarchy, but to manage only the tenants within their own scope.

The concept of the scope hierarchy is flexible and its implementation is optional, because you can just create a single level with all scopes under the global scope. Also an enterprise can belong to more than one scope, which means that an administrator could create an enterprise hierarchy and then another scope for sharing templates of a specific type only with a group of tenants that will use that template.

How do I create a scope hierarchy?

An administrator with scope permissions and the “Allow user to switch enterprises” privilege can create a hierarchy by assigning a parent scope to any scope except an unlimited scope. (An unlimited scope is the Global scope or a Use all enterprises or Use all datacenters scope.

 

What happens when I create an enterprise?

When an administrator creates a new tenant, the administrator must set a default scope for the tenant. And the new tenant is automatically added to the administrator’s scope, so it becomes part of the existing hierarchy. Administrators can also assign this tenant to scopes they can access. If there is a higher-level administrator, they can remove this tenant from the creating administrator's scope.

Does an administrator need to have their own enterprise in scope?

An administrator can belong to an enterprise that is not included in their own scope, which means that they cannot manage some elements of this enterprise. But an administrator will usually have access to the Apps library, which is determined by their Apps library privileges, allowed datacenters, and datacenter scope. To share resources, such as VM templates and VApp specs, with enterprises in their child scopes, an administrator will need the “Allow user to switch enterprises” privilege.

Which users can access shared resources?

As in previous versions, all users whose enterprises are listed in the resource scopes can access a shared resource, such as a VM template or VApp spec.

Which administrators can manage shared resources?

To manage shared resources, users must have the following:

  • Feature privileges (e.g. Manage virtual appliance specs, Mange VM templates in the Apps library)
  • Allow user to switch enterprise privilege
  • Full datacenter access (Allowed datacenter and Datacenter scope)
  • For virtual appliance specs, users must be logged in to the spec enterprise

Is there any difference between administrator resource access?

All administrators that can access a shared resource with the appropriate privileges can edit that resource in the same way. The only difference between users with a higher or lower scope is the number of scopes they can select from. If a user with a lower scope modifies scopes, this will not affect any higher scopes that are assigned to the template.

What default access will tenant administrators have?

By default, tenant administrators do not have the Allow user to switch enterprises privilege. This means that they can only work with local resources in their own enterprise and Abiquo will not display the Scopes tab when they edit a template or spec.

Which scopes can an administrator assign or unassign from shared resources?

An administrator can manage the following scopes:

  • Own scope
  • Enterprise default scope
  • Child scopes beneath their scope in the hierarchy

The following diagram shows an example of a scope hierarchy.

The following screenshot shows an administrator that can manage two national resellers.

These resellers have customers, with their own departments, and the administrator does not manage their users but the administrator does share templates with them.

 

 

  • No labels

Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved