Introduction to roles
Each cloud user has a role to define how they can work with resources. Each user role has a set of privileges to allow access to different cloud features.There are four default user roles in the system: Cloud administrator, Enterprise administrator, User, and Enterprise viewer. See Default roles. You can clone the default roles and modify them to create your own roles.
The Privileges page lists all the privileges and shows the default roles that they belong to.
The default roles are global roles so they are available to all enterprises but it is also possible to create a role that belongs to a single enterprise.
To access and manage a user role, your role must have the same privileges or more privileges than the user role. You CANNOT access roles with any privileges that are not in your role.
When you select new privileges to activate new features, select the privileges for ALL of your roles, so that your reseller and tenant administrators can continue to manage user roles
Privileges are generally independent. For example, if your user role does not have the Access Infrastructure view
privilege, the UI will not display the Infrastructure icon. But if your role has the Manage datacenters
and View datacenter details
privileges, you can use the API to access the datacenter infrastructure that you cannot access in the UI.
You can specify directory groups for user roles. When users log in, the platform will automatically create users and assign the matching roles to them. You can use LDAP, Active Directory, OpenID Connect, and SAML.
In addition to user roles, each user also has an administration scope to define the resources that a user can view, access, and administer. See Manage scopes. And each user's enterprise has a list of allowed datacenters and public cloud regions that users can work in.
For details of the Abiquo concepts of enterprises and users, see Tenants and users in the Abiquo Walkthrough.
For information about creating a reseller, see https://abiquo.atlassian.net/wiki/spaces/doc/pages/311361611/Abiquo+cloud+reseller+guide#Create-resellers.
For information about creating a tenant administrator, see Create a tenant administrator user.
Display roles
Privileges: Access Roles and Scope screens
To display roles, go to Users → Roles. By default, you will see the Global roles for all enterprises (and they have (Global)
after the name.
To display the enterprise roles for a specific enterprise, select the enterprise.
Create or modify a role
Abiquo provides a set of default roles and you can clone and modify them to create new roles. See Default roles. For a list of the privileges for each role, see Privileges.Privileges: Access Roles and Scope screens, Manage roles, Manage global role
A user can only have one role, but a role can be associated with multiple OpenID, AD, or LDAP groups.
When you clone a role, by default the new role will have Copy:
as a prefix to its name, for example, Copy: CLOUD_ADMIN
.
To create or modify a role:
Go to Users → Roles
To clone a role, click the duplicate clone button. Select the cloned role and click the pencil edit button
To create a new role, click the + add button
Complete the dialog.
Enter the Name of the role. The names of global roles must be unique
To create a local role, select the Enterprise that the role will belong to
To create a global role, select the Make this role global checkbox
Optionally, to create a list of network addresses from which users with this role can access the platform, enter Allowed CIDRs.
The CIDRs from a user’s role and scope will apply to the user but the allowed CIDRs of the user will have the highest priority.Enter the corresponding External roles, such as the LDAP group, for the user. This is required in external authentication modes (
openid
,ldap
).
A user's external roles must map to a single role (local or global).
See LDAP and Active Directory integration and Abiquo OpenID Connect integration .
You can also set external scopes.Examples of external roles for LDAP:
ldap_group_01
ldap_group_02
Example for OpenID:
id=admins,ou=group,o=qa,ou=services,dc=openam,dc=forgerock,dc=org
After you create or clone a role, select the role name in the list and edit the privileges as required, then click Save.
Modify the privileges of a role
To modify the privileges of a user role:
Privileges: Manage privileges
Go to Users → Roles
For a local role, select the enterprise that the role belongs to
From the Roles list select the role
In the Privileges pane, select or deselect the privileges
To add or remove groups of privileges, click the All privileges checkbox beside the group name
You cannot undo, but you can discard the changes
Save the changes by clicking Save
The platform will discard your changes if you do an action outside of the Privileges pane, for example, clicking on a another role name
Role troubleshooting and tips
Roles
The default CLOUD_ADMIN role has all privileges and is locked
You can access roles with ALL the same privileges or fewer privileges than your own role
You CANNOT access roles with any privileges that are not in your role
You cannot modify your own role.
Privileges
You can only select or deselect privileges that are in your own role
Privileges are generally independent.
For example, for a user with a role without theAccess Infrastructure view
privilege, the Infrastructure icon does not display in the UI. However, if this user's role has the privileges toManage datacenters
andView datacenter details
, the user will be able to access these functions through the API
Manage roles with the API
API Documentation
For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource RolesResource.
Privileges table
See Privileges
Related pages
Manage cloud tenants: Manage enterprises
Create action lists for users: Manage scopes