Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

Changes to scopes in Abiquo 4.0

  • In Abiquo 4.0 administrators assign scopes to Abiquo users. In previous versions, administrators assigned scopes to Abiquo roles and the global scope was the default
    • During the upgrade process, Abiquo assigns role scopes to users
  • All enterprises must now have a default scope for creating users
  • Administrators can now create optional hierarchies of scopes and share resources, such as templates and specs, with tenants at lower levels of their hierarchies

Scope concepts

An Abiquo scope is a list of resources (enterprises and/or datacenters) for access control. You can add an enterprise or a datacenter to multiple scopes. You can assign one scope to a user and multiple scopes to a resource. Any one scope can be assigned to both a user and a resource. 

When a scope is assigned to a user, it is called a "user scope" or an "administration scope". A user scope defines the list of resources (datacenters and enterprises) that a user can view and manage, in conjunction with their privileges and allowed datacenters. In contrast, the privileges assigned to a user's role define how the user can work with resources, for example, as a user or administrator. So this means that an administrator can deploy virtual machines in any of the datacenters that the user's enterprise is allowed to use (Edit Enterprise, Allowed Datacenters), even if the user's Administration Scope does not include these datacenters.

When a scope is assigned to a resource, it is called a "resource scope". A resource scope is used to share a resource. The users of the enterprises listed in the scopes can access the resource, assuming they have the other required permissions. Examples of resources that can have scopes are a VM template or a VApp spec. An administrator can share resources by selecting a scope, which can be their own scope and child scopes that are beneath their scope in a hierarchy, for example.

The following screenshot shows a scope called NationalBRegCandD with three enterprises, and a child scope. 

The Global scope is the default scope that contains all elements and it cannot be modified. This scope is assigned to the default admin user (with the CLOUD_ADMIN role). If you select the default scope from the Scopes list, the resource columns are empty. This is because it includes all resources, so no resources are displayed. 

An unlimited scope is any one of the following scopes:

  • The global scope
  • Any scope with the Use all enterprises checkbox selected, which will include ALL current and future enterprises
  • Any scope with the Use all datacenters checkbox selected, which will include ALL current and future datacenters

An unlimited scope is always at the top of the scope hierarchy, which means it cannot have a parent scope. An unlimited scope has new resources added automatically, so you will not need to modify it to include new enterprises or datacenters. To create an unlimited scope for enterprises and/or datacenters, you must be logged in as a user with a corresponding unlimited scope.

You an create a scope hierarchy for sharing resources with related tenants without the need for the administrator to have all of these related tenants in their own scope. So administrators can share VM templates and VApp specs with tenants in child scopes beneath their own scope, but administrators manage only the tenants within their own scope.

Scope use cases

A global managed service provider could create a scope for country or region. For example, in Spain, with datacenters in Madrid, Barcelona, Valencia and Seville.

  • User scope for datacenters: An administrator for Spain would have access to all these datacenters, but the administrator for Eastern Spain would only have access to Barcelona and Valencia, which are on the east coast.
  • User scopes for enterprises: The administrator for Spain may have scope for Spain that only includes the top-level Spanish national organization to manage its users and resources.
  • Scope hierarchy: The administrator for Spain could also have a scope hierarchy beneath the Spain scope that includes the scopes for Eastern Spain and Central and Southern Spain and then their customers at a lower level. The administrator for Spain can only manage the users of the Spanish national organization but they can share templates and specs with tenants in the scopes at all levels of the hierarchy.

Diagram: an example of a scope hierarchy

 Click here to show/hide the diagram

 

Managing Scopes

Privilege: Manage scopes, Allow user to switch enterprises

From the Users view, if you have permission to Manage scopes and the Allow user to switch enterprises privilege, you can access the Scopes tab and manage scopes. 

Create or Modify a Scope

Click the add button to create a new scope.

  1. Enter the scope name
  2. To create a scope hierarchy, if you are creating a limited scope, optionally select a parent scope 
  3. To create an unlimited scope for enterprises or datacenters, mark the appropriate checkboxes. 
    • Use all enterprises will automatically include all enterprises in the  current  scope and add all new enterprises
    • Use all datacenters  will automatically include all datacenters in the current scope and add all new datacenters
  4. To create a limited scope, select enterprises and datacenters to include in the scope
    1. For a user scope, in the Enterprises and Datacenters columns, select the resources the scope will allow a user to access and administer.
    2. For a resource scope for sharing resources, such as templates and specs, select the enterprises whose users will be able to access the resources. Remember that some resources may have more than one scope. 

Screenshot: an unlimited enterprises and datacenters scope.

 Click here to show/hide the screenshot


To change an unlimited scope to a limited scope, first unselect the Select all checkbox, then select individual resources. 
You cannot remove an enterprise from a scope that is using shared templates with that scope. You cannot modify the default Global scope. You cannot modify your own scope. After you create or modify a scope, you can assign it to a user or a resource.

Delete a scope

You cannot delete the default Global scope. You cannot delete your own scope. You cannot delete a scope if it is in use in certain circumstances, for example, if it is the default for an enterprise, or it is assigned to a shared template that is in use by an enterprise. To delete a scope, select it in the list and click the delete button.

 Click here to show/hide the screenshot

  • No labels