Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 74 Next »

Manage scopes page


Changes to scopes from Abiquo 4.0

  • Now administrators assign scopes to Abiquo users. In previous versions, administrators assigned scopes to Abiquo roles and the global scope was the default
    • During the upgrade process to version 4.0, Abiquo assigns role scopes to users
  • All enterprises must now have a default scope for creating users
  • Administrators can now create optional hierarchies of scopes and share resources, such as templates and specs, with tenants at lower levels of their hierarchies

Scope concepts

Scope is an access list that contains a list of resources (enterprises and/or datacenters) to allow access.

You can use scopes to:

  1. Create restricted sets of resources for administrators
  2. Share resources with a group of tenants and an optional tenant hierarchy
  3. Create a tenant hierarchy for pricing, billing, and cost and usage aggregation, which is useful for resellers and large organizations



Create a scope

Unable to render {include} The included page could not be found.



Assign scopes

You can assign a scope to one or more entities to restrict access, share resources, or to create a hierarchy, as described here.


To restrict administrator access to resources, assign a scope to the administrator's user account:

  • The administrator can manage the locations (datacenters and public cloud regions) that are in their scope (e.g. add templates). An administrator can manage enterprises and users of the enterprises that are in their scope.

    Troubleshooting and Tips

    • The user must also have the other required permissions (privileges and allowed datacenters). 
    • A user can work in allowed datacenters (e.g. create virtual datacenters, deploy), even if the datacenters are not in their scope.
 Click here to expand...

For example, a Managed Service Provider in Spain, with datacenters in Madrid, Barcelona, Valencia, and Seville. The scopes could be defined as follows:

  • User scope for datacenters:
    • An administrator for "Spain" with a scope to access to all the Spanish datacenters
    • An administrator for "Eastern Spain" with a scope to access Barcelona and Valencia (on the east coast of Spain)
  • User scopes for enterprises:
    • An administrator for Spain may have a scope to access the top-level "Spanish HQ" to manage its users and resources. This scope may be the parent of one or more scopes to group users for management and resource sharing


To share resources (templates, VApp specs) to users of other enterprises, assign one or more scopes to the resource:

  1. The scopes contain the enterprises that can access the resource
    1. The user can also select child scopes to share resources to their users

The users of the enterprises listed in the scopes can access the resource, if they have the other required permissions

Troubleshooting and Tips

  • If there is a hierarchy, administrators can share VM templates and VApp specs with users in scopes beneath their own scope
  • Administrators cannot manage the enterprises that are not directly in their user scope
  • You can assign a user's scope to resources to share the resources with the enterprises in the scope. The platform will only consider the enterprises in the scope, not the locations
  • The platform will only check if a user's enterprise is in a resource's scope. It will not consider the user's scope to determine if they can access a resource
  • Examples of other access limitations:
    • To modify VM templates, the administrator must be in the enterprise that created the template
    • To create a new version of a VApp spec, the user must work with a VApp created from the spec in the enterprise that created the spec


To create a reseller hierarchy, assign the scope to an enterprise as its default scope:

  1. The parent scopes define the hierarchy levels
  2.  Each scope can have one reseller and/or one key node

The resellers and key nodes are for management and aggregation of costs and usage. Administrators can share VM templates and VApp specs with users in scopes beneath their own scope. 

  • Scope hierarchy: The administrator for Spain could also have a scope hierarchy beneath the Spain scope that includes the scopes for Eastern Spain and Central and Southern Spain and then their customers at a lower level. The administrator for Spain can only manage the users of the Spanish national organization but they can share templates and Vapp specs with tenants in the scopes at all levels of the hierarchy.
  • Reseller: A reseller enterprise in the hierarchy can use partner or reseller credentials for public cloud and manage billing and pricing for their hierarchy. 

  • Key node: A key node enterprise can obtain aggregate billing and usage data for their hierarchy

  • Scope hierarchy diagram:

     Click here to show/hide the diagram


Manage scopes with the API



Related pages

  • No labels

Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved