Introduction to scopes

A scope is an access list, which is a list of resources (enterprises and/or datacenters) to allow or restrict access.

You can use scopes to:

1. Create restricted sets of resources for administrators and users

2. Share VM templates and configuration blueprints (VApp specs) with a group of tenants, which can be in a tenant hierarchy

3. Restrict an enterprise to a set of script templates

4. Create a tenant hierarchy for pricing, billing, and cost and usage aggregation, which is useful for resellers and large organizations

Administrators also control access to features and resources in the platform with privileges and allowed locations.

Display scopes

To display scopes, go to Users → Scopes.

By default, the display and filter of scopes in a scope hierarchy is By level.

When you click on a scope, the platform will display the Enterprises and Datacenters (including public cloud regions) that the scope allows.

To move up the hierarchy, click a higher level scope, or click the link to go Back to previous level.

To display all scopes as a list, without the hierarchy level tree:

1. Click the funnel filter button to open the filter options

2. Select Global and click Accept

The platform will now display a list of scopes and their parent scopes.

Create a scope

You can use scopes as access lists for users, enterprises, and/or resources. You can also use them to define tenant hierarchies for accounting and billing aggregation.

To create a scope do these steps:

1. Go to Users → Scopes

2. Click the + add button

3. For General info:

   1. For the Name, we recommend that you identify the tenant, resource, or user group that the scope will apply to

   2. To add the scope to a hierarchy, select a Parent scope.

   3. To specify attributes of an external system to define the user groups that this scope should apply to, enter External scopes. An example of an external scope could be an LDAP group for the user. This is for external authentication modes, such as openid and ldap. A user's external scopes must map to a single Abiquo scope (local or global). See LDAP and Active Directory Integration and Abiquo OpenID Connect Integration.

   4. To create a default list of network addresses from which users with this scope can access the platform, enter Allowed CIDRs. You can also set allowed CIDRs for a user role. A user will inherit the role and scope CIDRs. Any allowed CIDRs set directly for the user will have priority over these inherited allowed CIDRs.

      

4. For Entities:

   1. Select Enterprises to use in the scope.
      To automatically include all existing and future enterprises, select the option to Use all enterprises. We do not recommend this option if the parent scope is limited

      1. If you assign this scope to a user, then the user can manage resources in the list of enterprises selected

      2. If you assign this scope to a VM template or a VApp spec, then users can access the resources if they belong to the enterprises that are in the scope list (or if they belong to the owner enterprise)

      3. If you assign this scope to one or more script template/s, then users in the enterprises in this scope can only access the set of script templates with the scope selected

      4. An enterprise default scope is the default scope for users you create in the enterprise

   2. Select Datacenters (and public cloud regions) to include in the scope.
      To automatically include all existing and future datacenters, select the option to Use all datacenters. We do not recommend this option if the parent scope is limited

      1. If you assign this scope to a user, then the user can manage resources in the list of datacenters selected.

      2. Scopes for VM templates and VApp specs do not use the datacenters list

      3. Scopes for script templates do not use the datacenters list

      4. An enterprise default scope is the default scope for users you create in the enterprise

         

After you create a scope, you can assign it to a user, an enterprise, or a resource.

• See Manage users in the section Create a user

• See Manage resource scopes

Create a scope for a tenant and its users

Generally, a user should only be able to access their own tenant enterprise and its resources. The most basic scope is a single enterprise scope that contains the user's enterprise.

Another basic scope is for a key node enterprise with a group of enterprises below it. This could be a for an organization and its departments, and it could represent an AWS organization account, where you can add the AWS account for each department to a separate enterprise.

To create a basic scope and assign it to a tenant and the tenant's users:

1. Create a scope for the tenant

   1. On the General info tab, select a parent scope, for example, Global scope or a reseller scope

      

   2. In the Datacenters list, select the appropriate locations (datacenters and public cloud regions) where the users will work.

      

2. Create the tenant enterprise and on the General tab for the Default scope select the tenant's scope.
   Abiquo will automatically add the enterprise to its Default scope

   

When an administrator creates users in the tenant, the platform will automatically suggest the tenant's enterprise scope for these users.

If you also assign this scope to an enterprise administrator in this tenant, they will be able to manage the tenant's users only.

Create a scope for an administrator

The default cloud administrator with the default Global Scope can manage all resources. To restrict the set of resources that an administrator can manage, create a scope and assign it to the administrator. An administrator (with privileges and allowed datacenters):

• Can manage the locations (datacenters and public cloud regions) that are in their scope (e.g. add templates for an enterprise in scope)

• Can manage enterprises and users of the enterprises that are in their scope.

To create a basic administrator scope:

1. Create a scope for the administrator

   1. On the General info tab, optionally select a parent scope, for example, the Global scope or a reseller scope

      

   2. Go to the Entities tab. In the Enterprises list, select the enterprises to administer

   3. In the Datacenters list, select the appropriate locations (datacenters and public cloud regions) to administer

 For example, for a Managed Service Provider in Spain, with datacenters in Madrid, Barcelona, Valencia, and Seville. The scopes could be defined as follows:

• User scope for datacenters:

  • An administrator for Spain with a scope to access to all the Spanish datacenters

  • An administrator for Eastern Spain with a scope to access the datacenters in Barcelona and Valencia (the cities on the east coast of Spain)

• User scopes for enterprises:

  • An administrator for Spain may have a scope to access the top-level Spanish headquarters to manage its users and resources. This scope may be the parent of one or more scopes to group users for management and resource sharing

Notes:

• If enterprises are in a child scope, the administrator can share catalogue resources with them, even if they cannot administer their users.

Create a scope to share resources such as VM templates

The resources in the Catalogue include images (VM templates), blueprints (VApp specs), and VM bootstrap scripts (script templates).

You can create and maintain a group of core resources, and share them with many tenants.

To share a resource:

1. In your administrator roles, add the privilege to Allow user to switch enterprises.

2. In your administrator user scopes or their scope hierarchies, add the tenants that will access the resources, and the locations of the resources

3. You can use an scope, such as a reseller scope with a hierarchy, or you can create a new scope to share resources with a group of tenants. In this scope, in the Enterprises list, select enterprises to give them access to the resource.

   • To share resources with ALL current and future tenants, use the default Global scope or create an unlimited enterprise scope

4. Log in to the enterprise that owns the resources

   • To modify VM templates or script templates, the administrator must be in the enterprise that created the resource

   • To create a new version of a VApp spec, the user must work with a VApp created from the spec in the enterprise that created the spec.

5. Edit the resource and go to Scopes

6. Select the scopes that contain tenants who will use the resources.

Notes:

• You can share resources with your own scope and child scopes of your scope

• Each tenant can belong to more than one scope

• Each scope can have one parent scope only

• The platform will only consider the enterprises in the resource scopes, not the locations.

Assign scopes to create a reseller hierarchy

You can use a reseller hierarchy for billing, pricing, and to manage and aggregate your cloud costs and usage. To create a reseller hierarchy, assign scopes to reseller, key node, and reseller customer tenants. 

• Reseller: A reseller enterprise in the hierarchy can use partner or reseller credentials for public cloud (and create accounts and users for customers) and manage billing and pricing for their hierarchy. 

• Key node: A key node is the main enterprise for an organization, such as a head office. A key node enterprise can obtain aggregate billing and usage data for their hierarchy.

To define the hierarchy levels, use the Default scopes of the reseller, key node, and reseller customer enterprises.   

1. Go to Users → Enterprises

2. For the reseller and key node enterprises, create a scope

   1. Select an appropriate Parent scope, for example

      1. For a reseller, select the Global scope or no parent scope

      2. For a key node, select the reseller's Default scope as the parent scope

      3. For a sub-enterprise of a key node, such as a Department, select the key node's Default scope as the parent scope

3. Create or edit an enterprise to make it a Reseller or Key node enterprise

4. Set the appropriate scope as the Default scope for the enterprise. Abiquo will automatically add the enterprise to its Default scope

   • Note that if you change the default scope of an enterprise, Abiquo will not remove the enterprise from its previous scope

Administrators can share VM templates and VApp specs with users in scopes beneath their own Default scope in a hierarchy. Note that it is not mandatory to use resellers and key nodes in a cloud tenant hierarchy.

• Basic scope hierarchy: The administrator for Spain could also have a scope hierarchy beneath the Spain scope that includes the scopes for Eastern Spain and Central Spain and Southern Spain and then their customers at a lower level. The administrator for Spain can only manage the users of the Spanish national organization but they can share templates and VApp specs with tenants in the scopes at all levels of the hierarchy.

  

Search and filter scopes

To filter scopes, enter filter text in the search filter box.

To search for scopes that contain a specific enterprise, click the funnel filter button to open the scope filter dialog and select the Enterprise.

To search for scopes at all levels, select the Global search checkbox.

Modify a scope

Notes about modifying scopes:

• You cannot remove an enterprise from a scope that is using shared templates with that scope

• You cannot modify the default Global scope

• You cannot modify your own scope

• In a scope hierarchy, there can only be one reseller and one key node in the scope that defines the hierarchy, which is each enterprise's default scope.

Pricing scopes

When a user creates a pricing model, the platform assigns the user's scope that applies to enterprises. Only users with the same enterprise scope can manage the pricing model. All users with pricing privileges can view the pricing model of their own enterprise. You cannot change the pricing scope or display it in the UI.

Manage scopes with the API

Related pages

• Manage cloud tenants: Manage enterprises

• Create roles with privileges to control access to platform actions: Manage roles

• Manage users