View Source

Now administrators assign scopes to Abiquo users. In previous versions, administrators assigned scopes to Abiquo roles and the global scope was the default
- During the upgrade process to version 4.0, Abiquo assigns role scopes to users
All enterprises must now have a default scope for creating users
Administrators can now create optional hierarchies of scopes and share resources, such as templates and specs, with tenants at lower levels of their hierarchies

Scope concepts

An Abiquo scope is a list of resources (enterprises and/or datacenters) for access control.

A "user scope" or an "administration scope" defines the list of resources (datacenters and enterprises) that a user can view and manage. A scope works together with the user's privileges and allowed datacenters, which define how they can use resources. So this means that an administrator can deploy VMs in any of the datacenters that the user's enterprise is allowed to use (Edit Enterprise, Allowed Datacenters), even if the user's scope does not include them.

A "resource scope" defines a list of enterprises whose users can access a resource, assuming they have the other required permissions. Examples of resources that can have scopes are a VM template or a VApp spec. An administrator can share resources by selecting scopes for the resource, which can be their own scope and child scopes of their scope in a hierarchy.

The following screenshot shows a scope called NationalBRegCandD with three enterprises, and a child scope.

The Global scope is the default scope for the cloud administrator that contains all elements and it cannot be modified. If you display the default scope, the resource columns are empty because it always includes all resources, so no resources are displayed.

An unlimited scope is any one of the following scopes:

The global scope
Any scope with the Use all enterprises checkbox selected, which will include ALL current and future enterprises
Any scope with the Use all datacenters checkbox selected, which will include ALL current and future datacenters

An unlimited scope is always at the top of the scope hierarchy, which means it cannot have a parent scope. An unlimited scope has new resources added automatically, so you will not need to modify it to include new elements. To create an unlimited scope for enterprises and/or datacenters, your user must have the appropriate unlimited scope.

You can create a scope hierarchy for sharing resources to tenants that are below an administrator's own scope in a hierarchy. So administrators can share VM templates and VApp specs with tenants in child scopes of their scope, but administrators manage only the tenants within their own scope.

Scope use cases

A global managed service provider could create a scope for country or region. For example, in Spain, with datacenters in Madrid, Barcelona, Valencia and Seville.

User scope for datacenters: An administrator for Spain would have access to all these datacenters, but the administrator for Eastern Spain would only have access to Barcelona and Valencia, which are on the east coast.
User scopes for enterprises: The administrator for Spain may have scope for Spain that only includes the top-level Spanish national organization to manage its users and resources.
Scope hierarchy: The administrator for Spain could also have a scope hierarchy beneath the Spain scope that includes the scopes for Eastern Spain and Central and Southern Spain and then their customers at a lower level. The administrator for Spain can only manage the users of the Spanish national organization but they can share templates and specs with tenants in the scopes at all levels of the hierarchy.

Diagram: an example of a scope hierarchy

Managing Scopes

Privilege: Manage scopes, Allow user to switch enterprises

From the Users view, if you have permission to Manage scopes and the Allow user to switch enterprises privilege, you can access the Scopes tab and manage scopes.

Create or Modify a Scope

Click the add button to create a new scope.

Enter the scope name
To create a scope hierarchy, if you are creating a limited scope, optionally select a parent scope
To create an unlimited scope for enterprises or datacenters, mark the appropriate checkboxes.
- Use all enterprises will automatically include all enterprises in the current scope and add all new enterprises
- Use all datacenters will automatically include all datacenters in the current scope and add all new datacenters
To create a limited scope, select enterprises and datacenters to include in the scope

For a user scope, in the Enterprises and Datacenters columns, select the resources the scope will allow a user to access and administer.
For a resource scope for sharing resources, such as templates and specs, select the enterprises whose users will be able to access the resources. Remember that some resources may have more than one scope.

Screenshot: an unlimited enterprises and datacenters scope.

To change an unlimited scope to a limited scope, first unselect the Select all checkbox, then select individual resources. You cannot remove an enterprise from a scope that is using shared templates with that scope. You cannot modify the default Global scope. You cannot modify your own scope. After you create or modify a scope, you can assign it to a user or a resource.

Delete a scope

You cannot delete the default Global scope. You cannot delete your own scope. You cannot delete a scope if it is in use in certain circumstances, for example, if it is the default for an enterprise, or it is assigned to a shared template that is in use by an enterprise. To delete a scope, select it in the list and click the delete button.

Related pages

Manage cloud tenants: Manage Enterprises
Create roles with privileges to control access to platform actions: Manage Roles
Manage Users