Assign a scope to restrict administrator access

To restrict an administrator's access to resources:

Go to Users → Create or Edit user
Assign a scope

The administrator can manage the locations (datacenters and public cloud regions) that are in their scope (e.g. add templates). An administrator can manage enterprises and users of the enterprises that are in their scope.

Troubleshooting and Tips

The user must also have the other required permissions (privileges and allowed datacenters).
A user can work in allowed datacenters (e.g. create virtual datacenters, deploy), even if the datacenters are not in their scope.

For example, a Managed Service Provider in Spain, with datacenters in Madrid, Barcelona, Valencia, and Seville. The scopes could be defined as follows:

User scope for datacenters:
- An administrator for "Spain" with a scope to access to all the Spanish datacenters
- An administrator for "Eastern Spain" with a scope to access Barcelona and Valencia (on the east coast of Spain)
User scopes for enterprises:
- An administrator for Spain may have a scope to access the top-level "Spanish HQ" to manage its users and resources. This scope may be the parent of one or more scopes to group users for management and resource sharing

Screenshot: an administrator with the default Global scope has access to all enterprises and datacenters.