Create a reseller administrator user

Introduction to reseller admin

A reseller admin role can have a range of privileges depending on how you will manage resellers and cloud users on the platform. So how the reseller will "manage its customers" will vary, depending on the privileges.

Before you create a reseller admin, we recommend that you first modify the standard USER and ENTERPRISE_ADMIN role to add all the features you will use in your platform. For public cloud, see Modify user roles to add public cloud. Also remove any privileges for features that you are not using.

Create a basic reseller administrator

To create a basic reseller administrator, you will first need to define their role, with the privileges they will have to perform actions on the platform.

A reseller role with minimum restrictions could grant the administrator the following privileges:

• All dashboard privileges

• Services privileges as required

• No infrastructure privileges

• Most virtual datacenter privileges (except for infrastructure or system administrator features)

• Most virtual appliance privileges (except for infrastructure or system administrator features)

• Most Catalogue privileges (except for global and infrastructure features)

• Most user privileges (except to Manage reseller enterprises) 

• No system configuration privileges, except access to reports

• Event privileges for the current enterprise

• Control privileges as required

For the reseller user Scope, select the reseller scope.

Open

Create a user and assign the reseller administrator role.

Adjust the reseller role to your requirements

The following sections describe different ways to use the platform and how

Reseller privileges to switch enterprises

The base privileges for standard reseller admins are these Home view privileges:

• List enterprises within scope

• Allow user to switch enterprise

When you assign these privileges to a reseller admin role, the user can view a list of their enterprises (in scope) in the Home view and switch from one enterprise to another to manage virtual resources.

When the reseller admin switches to an enterprise, they will be able do all the typical enterprise administration tasks, according to their role, such as upload VM template files.

The reseller admin will stay in the enterprise they have switched to until they switch to another. The enterprise does not change when the user logs out and logs in again. 

Alternative basic reseller admin per tenant

If you wish to maintain a separate administrator account for each tenant, the administrator can log in with a separate user in each tenant that they will administer. In this case, the user will not use a shortcut button to switch enterprises. So you do not need to add the List enterprises within scope or the Allow user to switch enterprise privilege. We only recommend this option for resellers with a small number of tenants.

Users view privileges

The users view privileges determine how the administrator can manage their customers and cloud users.

It is not necessary for your reseller administrators to have these privileges.

If you manage all cloud user accounts with a centralized system, such as SAML, you can remove the Manage users privilege from the reseller administrator.

Manage users

If you are not using a central user management system, you can have an administrator who can manage users. They can then perform the tasks of creating, editing, and deleting the users in the enterprises in their user scope only.

To allow the reseller to manage enterprises and users in a single pane of glass, and not by switching enterprises, assign the privileges to Manage enterprises and Manage users of all enterprises. This privilege refers to all enterprises, but it means all enterprises within the administrator's scope. 

If your reseller will be managing users, in addition to the Manage users privilege that is part of the standard tenant admin role, you can assign additional privileges, such as Manage roles.

Note that each enterprise must have a Default scope, which the platform will automatically assign to all new users in the enterprise. Many reseller hierarchies use only a single scope each tenant under a reseller, so in this case, the tenant users and administrators may all use the same scope. And an enterprise’s Default scope defines the enterprise’s place in the tenant hierarchy (by the scope and its parent scope), so you should consider this before allowing any changes.

Administrators can change the user scope if they have the privilege to Manage scopes. Note that administrators with the Manage scopes privilege can also assign the enterprise’s Default scope to their users, even if it is higher scope than their own scope!

Shared resource management

If your reseller needs to be able to share resources (VM templates and VApp blueprints (specs)) to give access to their customers, then your reseller will be able to share templates and specs by selecting (or deselecting) scopes for the templates and specs. The administrator can select their own scope and scopes below that scope in the hierarchy for VM templates and specs.

Note that it is possible for enterprises to belong to more than one scope and this means that you can create a scope to create a group of tenants who will all use the same resources.

Resellers creating tenants and the scope hierarchy

If your reseller administrator is able to create their own tenant enterprises, Abiquo will automatically add these to the reseller scope.

If the reseller's tenants are part of a scope hierarchy (the reseller scope is a parent of the tenant scope) and your reseller does not need to manage their users or enterprises, then you can remove them from the reseller scope. To allow your reseller to manage their own scope hierarchy, assign the Manage scopes privilege. This means that the reseller can add their tenants to a scope hierarchy beneath their own scope.