In Abiquo, user scopes are administrator access lists. Scopes control the cloud locations (datacenters and public cloud regions) and tenants (Abiquo enterprises) that an administrator can manage. Scopes can also allow the tenants in a scope to access a resource with this scope. So administrators can use resource scopes to share virtual machine templates and virtual appliance spec blueprints. Abiquo 4.0 introduces user scopes and scope hierarchies.
User scopes
In Abiquo 4.0, administrators assign scopes to users, instead of to roles as in previous versions. During the upgrade, Abiquo will assign role scopes to users with that role. In previous versions, the default scope for all roles was the global scope.
To make it easier to create multiple users with the same scope, Abiquo tenants will now have a default scope. When you create an enterprise it is impossible to have previously created a scope containing that enterprise. So Abiquo manages this situation by adding a new enterprise to the administrator’s scope and assigning that scope as the default for the enterprise. The administrator can later edit the enterprise and change the default scope depending on their own scope.
In the dialog to create a user, Abiquo displays the enterprise default scope as the first element in the dropdown list. An administrator with the privilege to manage all enterprises and an unlimited scope (global or all enterprises) can assign any scope, whereas one with a limited scope, can assign lower scopes (child scopes of their scope) or the enterprise default scope. A user without the privilege to manage all enterprises can assign their own scope or the enterprise default scope.
The administrator with scope privileges can view their own scope, and view and manage the child scopes beneath their scope in the scope hierarchy. The administrator cannot delete a scope if it is the default for an enterprise.
Scope hierarchies
Abiquo 4.0 introduces the hierarchy of scopes to enable administrators to share resources to tenants at lower levels without having them in their scope. All scopes except unlimited scopes can have a parent, which defines their position in the hierarchy.
So for example, the following diagram shows a scope hierarchy. Administrators create this hierarchy by assigning a parent to each scope. The unlimited global scope is the root parent scope.
Because this is a multinational MSP, the national scopes include all the resellers in each of the national units. The national administrators will manage the national reseller users.
Each reseller will have a scope to include their enterprise customers, and each enterprise will have one for their own tenants, which may be business units, or departments, such as the development team and the web team. The users of these teams can be managed by the administrator with a global scope, for example, with automatic user creation. Or they can be managed by the IT team of the enterprise tenant, because they are within their scope.
Administrators can also create scopes for resource sharing. For example, if templates of a particular type are used by a specific tenant type, for example, web teams. In the following diagram, an administrator with scope privileges has created the Web scope, which is a list of web team tenants, and they can assign it to web templates to easily share them with all of the web teams in their hierarchy. There can be multiple branches of the hierarchy and a user can access all branches below their scope.
An administrator with scope privileges can create a hierarchy by assigning a parent scope to any scope except an unlimited scope (Global scope or Use all enterprises or Use all datacenters scope).
An administrator with the “Allow user to switch enterprises” privilege can view their own scope and manage child scopes beneath their own scope. When an administrator creates a new tenant, this tenant is automatically added to the administrator’s scope, so it is also part of the existing hierarchy. Later a higher-level administrator can move this tenant to another scope in a different part of the hierarchy.
It is important to remember that an administrator can belong to an enterprise that is not included in their administration scope. This means that generally, they cannot manage their own enterprise, to add new users, manage credentials, and so on. But administrators can always access the Apps library of their own enterprise without having the enterprise in scope. This access depends on the appropriate privileges, allowed datacenters, and datacenter scope. From the Apps library, administrators can also share resources with enterprises in their child scopes if they have the “Allow user to switch enterprises” privilege.
The following screenshot shows an administrator that can manage two national resellers.
These resellers have customers, which have departments, but this administrator cannot manage them. However, the national administrator can share templates with tenants at lower levels in the scope hierarchy.