Create a reseller administrator user

1 Introduction to reseller admin
2 Reseller privileges to switch enterprises
3 Alternative basic reseller per tenant
4 Users view privileges
5 Manage users
6 Shared resource management
7 Resellers creating tenants and the scope hierarchy

This page describes the details of some useful permissions for a reseller administrator role.

For details of how to create a role, see Manage roles
For details of how to create a user, see Manage users

Introduction to reseller admin

A reseller admin role can have a range of privileges depending on how you will manage resellers and cloud users on the platform. So how the reseller will "manage its customers" will vary, depending on the privileges.

Before you create a reseller admin, we recommend that you first modify the standard ENTERPRISE_ADMIN role to create a basic tenant admin role to cover all features for your platform. Also remove features that you are not using, such as persistent templates.

Reseller privileges to switch enterprises

The base privileges for standard reseller admins are these Home view privileges:

List enterprises within scope
Allow user to switch enterprise

When you assign these privileges to a reseller admin role, the user can view a list of their enterprises (in scope) in the Home view and switch from one enterprise to another to manage virtual resources.

When the reseller admin switches to an enterprise, they will be able do all the typical enterprise administration tasks, according to their role. An example may be to upload disk files to create templates.

The reseller admin stays in the enterprise they have switched to until they switch to another. The enterprise does not change when the user logs out and logs in again.

Alternative basic reseller per tenant

If you wish to maintain a separate administrator account for each tenant, the administrator can log in with a separate user to each tenant that they will administer. In this case, the user will not use a shortcut button to switch enterprises. So you do not need to add the List enterprises within scope or the Allow user to switch enterprise privilege. We only recommend this option for resellers with a small number of tenants.

Users view privileges

The users view privileges determine how the administrator can manage their customers and cloud users.

It is not necessary for your reseller administrators to have these privileges.

For example, if you manage all cloud user accounts with a centralized system, you may wish to remove the Manage users privilege from the reseller administrator.

Manage users

If you are not using a centralised user management system, you may wish to have an administrator who can manage users. They can then perform the tasks of creating, editing, and deleting the users in the enterprises in their user scope only.

If your reseller will be managing users, in addition to the Manage users privilege that is part of the standard tenant admin role, you can assign additional privileges.

To allow the reseller to manage enterprises and users in a single pane of glass, and not by switching enterprises, assign the privileges to Manage enterprises and Manage users of all enterprises. Although this privilege refers to "all enterprises", it means all enterprises within the administrator's scope.

Note that each enterprise must have a default scope, which the platform will assign to all new users in the enterprise. Note that administrators can change the scope. However, administrators who can manage scopes can also assign the enterprise scope to users, even if it is higher than or completely different to their own scope! However, if you are using data aggregation for resellers or key nodes, the enterprise default scope must define the hierarchy for each reseller and key node, so it would not be convenient to change it for administrator security.

Shared resource management

If your reseller needs to be able to share resources (VM templates and VApp spec blueprints) to give access to their customers, then your reseller will be able to share templates and specs by assigning (or unassigning) scopes to the template and specs. The administrator can assign their own scope and scopes below that scope in the hierarchy to templates and specs.

Note that it is possible for enterprises to belong to more than one scope and this means that you can create a scope just to group tenants who will all use the same resources.

Resellers creating tenants and the scope hierarchy

If your reseller administrator is able to create their own tenants, Abiquo will automatically add these to the reseller's scope.

If the reseller's tenants are part of a scope hierarchy and your reseller does not need to manage their users or enterprises, then you can remove them from the reseller's scope. If you wish to allow your reseller to manage their own scope hierarchy, assign the Manage scopes privilege. This means that the reseller can add their tenants to a scope hierarchy beneath their own scope.