Manage Scopes

Scopes are access lists for users, enterprises, and/or resources. They can also define hierarchies for accounting and billing aggregation.

To create a scope do these steps:

1. Go to Users → Scopes
2. Click the + add button
3. Enter the details as described in the following table

For more details see GUI Create scope

After you create a scope, you can assign it to a user, an enterprise, or a resource.

Generally, a user should only be able to access their own tenant enterprise and its resources. The most basic scope is a single enterprise scope that contains the user's enterprise.

To create a basic scope and assign it to a tenant and the tenant's users:

1. Create the tenant enterprise. 
   1. On the General tab, for the Default scope, select Global scope
2. Create a scope for the tenant
   1. On the General info tab, select a parent scope, for example, the Global scope or a reseller scope
      
   2. Go to the Entities tab. In the Enterprises list, select the tenant enterprise
   3. In the Datacenters list, select the appropriate locations (datacenters and public cloud regions) where the users will work
      
3. Edit the tenant enterprise and on the General tab for the Default scope select the tenant's scope
   

When an administrator creates users in the tenant, the platform will automatically suggest the tenant's enterprise scope for these users.

If you also assign this scope to an enterprise administrator in this tenant, they will be able to manage the tenant's users only.

The default cloud administrator with the default Global Scope can manage all resources. To restrict the set of resources that an administrator can manage, create a scope and assign it to the administrator. An administrator (with privileges and allowed datacenters):

• can manage the locations (datacenters and public cloud regions) that are in their scope (e.g. add templates for an enterprise in scope)
• can manage enterprises and users of the enterprises that are in their scope

To create a basic administrator scope:

1. Create a scope for the administrator
   1. On the General info tab, optionally select a parent scope, for example, the Global scope or a reseller scope
      
   2. Go to the Entities tab. In the Enterprises list, select the enterprises to administer
   3. In the Datacenters list, select the appropriate locations (datacenters and public cloud regions) to administer
      
      

 For example, for a Managed Service Provider in Spain, with datacenters in Madrid, Barcelona, Valencia, and Seville. The scopes could be defined as follows:

• User scope for datacenters:
  • An administrator for "Spain" with a scope to access to all the Spanish datacenters
  • An administrator for "Eastern Spain" with a scope to access the datacenters in Barcelona and Valencia (the cities on the east coast of Spain)
• User scopes for enterprises:
  • An administrator for Spain may have a scope to access the top-level "Spanish HQ" to manage its users and resources. This scope may be the parent of one or more scopes to group users for management and resource sharing

Notes:

• If allowed datacenters are not in scope, the administrator can work in them as a regular user (e.g. create virtual datacenters, deploy VMs) 
• If enterprises are in a child scope, the administrator can share catalog resources with them

The resources in the Catalog (Apps library) include images (VM templates) and blueprints (VApp specs).

You may wish to create and maintain a group of core resources and share these with many tenants.

To share a catalog resource:

1. Create administrator roles with the appropriate privileges to manage the resources
   • To share resources, an administrator must also be able to switch enterprises
2. Define and create scopes as required
   
   • The resource scopes should contain the enterprises that will access the resource
     • The platform allows the user to work with a resource if the user is in a tenant enterprise in the resource's scopes. The platform does not check the user's scope
   • To share resources with ALL current and future tenants, use the default Global scope or create an unlimited enterprise scope
   • To allow an administrator to share resources and manage the tenants, add the tenants to the administrator's scope
   • To allow an administrator to share resources without access to the tenants, add the tenants to one or more scopes, and make the administrator's scope the parent scope
     
3. Log in to the enterprise that owns the resources
   • To modify VM templates, the administrator must be in the enterprise that created the template
   • To create a new version of a VApp spec, the user must work with a VApp created from the spec in the enterprise that created the spec
4. Edit a resource and go to Scopes
5. Select the scopes that contain tenants who will use the resources

Notes:

• You can share resources with your own scope and child scopes of your scope
• Each tenant can belong to more than one scope
• Each scope can have one parent scope only
• The platform will only consider the enterprises in the resource scopes, not the locations

You can use a reseller hierarchy for billing, pricing, and to manage and aggregate your cloud costs and usage. To create a reseller hierarchy, assign scopes to reseller, key node, and reseller customer tenants. 

• Reseller: A reseller enterprise in the hierarchy can use partner or reseller credentials for public cloud (and create accounts and users for customers) and manage billing and pricing for their hierarchy. 

• Key node: A key node is the main enterprise for an organization, for example, the head office. A key node enterprise can obtain aggregate billing and usage data for their hierarchy

To define the hierarchy levels, use the Default scopes of the reseller, key node, and reseller customer enterprises.   

1. Go to Users → Enterprises
2. For the reseller and key node enterprises, create a scope
   1. Select an appropriate Parent scope, for example
      1. For a reseller, select the Global scope or no parent scope
      2. For a key node, select the reseller's Default scope as the parent scope
      3. For a sub-enterprise of a key node, e.g. a Department, select the key node's Default scope as the parent scope
3. Create or edit an enterprise to make it a Reseller or Key node enterprise
4. Set the appropriate scope as the Default scope for the enterprise. Abiquo will automatically add the enterprise to its Default scope
   
   • Note that if you change the default scope of an enteprise, Abiquo will not remove the enterprise from its previous scope
     

Administrators can share VM templates and VApp specs with users in scopes beneath their own Default scope in a hierarchy. Note that it is not mandatory to use resellers and key nodes in a cloud tenant hierarchy

• Basic scope hierarchy: The administrator for Spain could also have a scope hierarchy beneath the Spain scope that includes the scopes for Eastern Spain and Central and Southern Spain and then their customers at a lower level. The administrator for Spain can only manage the users of the Spanish national organization but they can share templates and Vapp specs with tenants in the scopes at all levels of the hierarchy.
  
  

   Click here to show/hide the hierarchy diagram

  

Notes about modifying scopes:

• You cannot remove an enterprise from a scope that is using shared templates with that scope
• You cannot modify the default Global scope
• You cannot modify your own scope
• In a scope hierarchy, there can only be one reseller and one key node in the scope, which is the enterprise's default scope