Abiquo 2.6

Skip to end of metadata
Go to start of metadata

Abiquo user management has a flexible concept of roles associated with privileges. Each user is assigned a role and that role is assigned a set of privileges to grant access to different cloud features.

Abiquo provides a set of default roles (CLOUD_ADMIN, ENTERPRISE_ADMIN and USER) and these can be cloned and modified to create new roles. The default CLOUD_ADMIN role cannot be modified. You can also create roles and match them to LDAP groups for automatic user creation and role assignment.

The new Administration Scope feature was introduced in Abiquo v2.2. The scope of a role defines the resources (such as datacenters and enterprises) that the role can view, access and administrator. The privileges assigned to the role define how the role can work with the resources, for example, as a user or administrator.

Roles Tab

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource RolesResource.

In Users View, if you have permission to access the Roles tab, manage the roles that will allow access to the platform using the control buttons at the bottom of the left pane. Assign privileges to a role in the Privileges page. If you have permission to manage scopes, associate a scope with a role in the Scopes page to define the set of resources that a user with this role can access. 

Default Roles

Default Role



Manages the physical infrastructure and configurations in order to offer a cloud service. The privileges of the default role cannot be modified and there is a default "admin" user with this role that cannot be modified and with an unlimited scope that cannot be modified. This role can be cloned and modified, for example, to set administration scope that restricts an administrator to certain datacenters and enterprises.


Manages configurations at enterprise level and grants access to other enterprise users. This role is for users that are responsible for an enterprise to manage their cloud services. By definition, users with this role are restricted to administering their own enterprise.


Manages the virtual appliances of an enterprise. Typically, this role is for users working with the cloud service. By definition, users with this role are restricted to their own enterprise.

Cloud Admin Role

The Cloud Admin default role cannot be modified and the scope cannot be changed from the default

If you have permission to manage roles, the operations to do this are:



Create a new Role

Delete an existing Role

Clone the selected Role

Edit the selected Role

Creating or Modifying a Role

A user can only have one role. You cannot have more than one role of the same name in the same enterprise. Roles in different enterprises can have the same names. If you have permission to manage roles, create a role by clicking the or modify a role by clicking the button and complete the form:

To clone a role, click the clone button. By default the new role will have a number appended to its name, for example, CLOUD_ADMIN (2).

Enterprise Roles and Global Roles

Abiquo allows you to create enterprise roles and global (or system) roles. If you have the Manage global role privilege, when you create a role, you can specify an enterprise or mark the checkbox to make the role global. A global role will be available in all enterprises. If you have the "Associate role with enterprise" privilege but not the Create global role privilege, you can only create roles associated with an enterprise. In the Role list, global roles will appear with the text (global) and enterprise roles will appear only if their enterprise is selected in the Enterprises list.

Feature Behavior

A user whose role has the Create global role privilege can create generic roles.
A user whose role has the Associate role with enterprise privilege can only create roles associated with an enterprise.

LDAP Groups


If you have the Specify LDAP group privilege, associate a role with an LDAP/AD group. When LDAP authentication is activated, a user's role will be determined by the group that they are a member of. In LDAP/AD users should be a member of one group only, because they may only have one role in Abiquo. Please see the Administrator's Guide for further information about LDAP and Active Directory Integration.

Associate a Scope with a Role

On the Scopes page of the Roles tab, you can assign a scope to a role.

When you create a role, the default scope is unlimited. If you have the Manage scopes privilege, click the Scope association tab to assign a scope to the role. Select a scope from the pull-down list. The resources that are included in the selected scope will be displayed. Click Save to continue.