Abiquo Documentation Cookies Policy

Our Documentation website uses cookies to improve your experience. Please visit our Cookie Policy page for more information about cookies and how we use them.


Abiquo 2.4


Skip to end of metadata
Go to start of metadata

New Feature

Administration Scope was introduced in Abiquo 2.2. When Abiquo is upgraded to v2.2, a default global scope is created and all roles are assigned to this scope.

The new Administration Scope feature was introduced in Abiquo v2.2. It is designed for administrator roles and it defines the resources (such as datacenters and enterprises) that the role can view and administer. In contrast, the privileges assigned to a role define how the role can work with resources, for example, as a user or administrator.

Scopes Tab

The administration scope of an Abiquo role defines what resources the role can administer. Other access controls, such as allowed datacenters or VDC restriction may also apply but these are independent of scope because they apply to use not administration.

A role can only have one scope but a scope can belong to more than one role. The resources that can be assigned to a scope are:

  • enterprises
  • datacenters

Scope allows organizations to create administrators for groups of resources. For example, a global managed service provider could create a scope for country or region. For example, in Spain, an organization may have datacenters in Madrid, Barcelona, Valencia and Seville. An administrator for Spain would have access to all these datacenters, but the administrator for Eastern Spain would only have access to Barcelona and Valencia, which are on the east coast.

The default scope is unlimited and this scope is always assigned to the default CLOUD_ADMIN role and admin user. Scope is independent of other access control methods, for example, an ordinary user may have an unlimited scope but the USER role will only allow access to one enterprise. Scope is designed to restrict administrator access to resources, not user access. For example, if an administrator has a scope that includes Datacenter A, but their enterprise can deploy in Datacenter A and Datacenter B, then the user will only be able to administer Datacenter A, but they will be able to deploy in Datacenter A and Datacenter B.

Managing Scopes

From the Users view, if you have permission to manage scopes, you can manage the scopes to define administrator access to cloud resources. If you also have permission to manage roles, then you can assign scopes to roles on the Roles tab.

Button Action
Create a new scope
Remove an existing scope
Edit the selected scope

Creating or Modifying a Scope

Click the add button to create a new scope. By default, the new scope will contain the current user's scope. On the Enterprises and Datacenters pages, select the resources the scope will allow access to. You cannot create a scope greater than the scope assigned to your own role.


To create an unlimited scope for a resource group, first log in as a user with an unlimited scope. Then click on the scope page and tick one of the following checkboxes:

  • Use all datacenters checkbox to use all datacenters in the scope. This will automatically include all datacenters in the current scope and add all new datacenters
  • Use all enterprises checkbox to use all enterprises in the scope. This will automatically include all enterprises in the current scope and add all new enterprises
    This means that you will not need to modify the scope when new resources are added to Abiquo.

After ticking a "use all" checkbox, if then you wish to select an individual resource, first deselect the "use all" checkbox.

Assigning a Scope to a Role

After you create a scope, if you have privileges to Manage Roles, then you can assign a scope to a role on the Scope association page of the Roles screen. See Manage Roles#Associate a Scope with a Role