Scopes FAQ

What is a scope?

A Scope is always a list of resources that the platform uses to allow access in some way. The resources are tenants (Enterprises) or cloud locations including datacenters and public cloud regions (called Datacenters).

You can use scopes to

1. Create a limited set of resources for administrators and users

2. Share VM templates and blueprints (VApp specs) with a group of tenants

3. Define a hierarchy of enterprises for resellers.

A typical use case for scopes would be on a platform with resellers.

Open

A scope contains a list of enterprises and datacenters to allow access

What is a user scope?

Every user has a scope. A user scope is a list of resources (enterprises and cloud locations) that the user can view and manage. Note that the user will usually also require other permissions to access these resources.

For example, an administrator can manage the users of the enterprises that are in their scope. Usually, a scope would contain the enterprise that belongs to it. It may contain more enterprises.

How does an administrator share resources with scopes?

The administrator modifies the resource to share, such as a VM template, and assigns it one or more scopes. Each scope is a list of enterprises. The platform allows all the users of the enterprises in the scope to access the resource.

In addition to VM templates, the administrator can share blueprints, which are called VApp specs (which is short for Virtual Appliance Specifications). 

The scopes that the administrator can select are their own scope and scopes in their scope hierarchy.

Open

Edit a VM template and share it by assigning scopes

What is the cloud administrator's scope?

The cloud administrator has the default global scope, which has access to all enterprise tenants and cloud locations. You cannot change the cloud administrator's scope.

What is an unlimited scope?

The unlimited scopes are the default Global scope and any scopes that allow all current and future enterprises and/or locations. 

Only a user with an unlimited scope can create an unlimited scope in the same dimension/s as their scope.

How can I make a scope that automatically updates?

A scope can have unlimited access to enterprise tenants and/or cloud locations. This means that it has access to ALL current and future resources.

For example, if a scope has access to all cloud locations with All datacenters, then new public cloud regions will automatically be added to it.

Which resources can an administrator manage?

To manage an enterprise or a user, the administrator must have the enterprise or the user’s enterprise in their scope.

To modify a VM template or VApp spec, an administrator must log in to the enterprise that owns the resource. And the administrator will require access to the cloud location where the resource is located (in their own scope, and as an “Allowed datacenter or public cloud region").

To modify a pricing model, the administrator must have the same scope as the user that created the pricing model.

What is an enterprise default scope used for?

The platform assigns the enterprise's default scope to all the new users that you create in the enterprise.

Usually, you will want an enterprise to be within its own default scope. To allow the administrator of an enterprise to manage their own users, you should also give them the privileges to manage users.

If you create the scope first, then when you create the enterprise, the platform will automatically add the enterprise to its default scope. The platform will never automatically remove an enterprise. 

Note that an administrator can create a user with the enterprise scope, even if that scope is greater than their own user scope.

The platform also uses the default scope of an enterprise to build an enterprise hierarchy. First, create a scope for a enterprise, and then below it, create a scope for a key node enterprise. The key node scope can be for a single enterprise, but it can also be for the "headquarters" of a group of enterprises and their departments or sub-enterprises.

How do scopes for pricing models work?

When an administrator creates a pricing model, the platform assigns the administrator's scope to the pricing model. To modify the pricing model, an administrator must have exactly the same scope as the original administrator who created the pricing model.

To view the pricing model that is assigned to an enterprise and its prices, an administrator with pricing privileges must log in or switch to the enterprise and go to Pricing view.

What is a scope hierarchy?

A scope hierarchy is a tree of scopes with parent and child scope relationships.

To add a scope to a hierarchy, the administrator selects a parent scope when creating or editing the scope.

Administrators can share resources with a scope hierarchy, and the platform uses a scope hierarchy to aggregate billing and reporting of multi-tenant organizations.

How does an administrator create a reseller hierarchy?

First, create a reseller scope and a reseller enterprise.

You can then create an enterprise or a sub-hierarchy, for example, for each customer of a reseller.

First, the administrator creates the scope for the customer. The parent scope is the reseller scope.

Then, the administrator creates or edits an enterprise for the "headquarters" and selects the customer scope. This is a minimum configuration for a reseller customer. Usually, when you create the customer enterprise, you select the Key node option. Here, you can manage an AWS organization account, for example.

Under the customer enterprise, you can create more enterprises, for example, to represent different departments. Each department could have its own AWS account under the main organization account.

If the departments will manage their own users, or have access to different resources, then you could create separate scopes for them.