Administration Scope was introduced in Abiquo 2.2. When Abiquo is upgraded to v2.2, a default global scope is created and all roles are assigned to this scope.
The new Administration Scope feature was introduced in Abiquo v2.2. It is designed for administrator roles and it defines the resources (such as datacenters and enterprises) that the role can view and administer. In contrast, the privileges assigned to a role define how the role can work with resources, for example, as a user or administrator.
The administration scope of an Abiquo role defines what resources the role can administer. Other access controls, such as allowed datacenters or VDC restriction may also apply but these are independent of scope because they apply to use not administration.
A role can only have one scope but a scope can belong to more than one role. The resources that can be assigned to a scope are:
Scope allows organizations to create administrators for groups of resources. For example, a global managed service provider could create a scope for country or region. For example, in Spain, an organization may have datacenters in Madrid, Barcelona, Valencia and Seville. An administrator for Spain would have access to all these datacenters, but the administrator for Eastern Spain would only have access to Barcelona and Valencia, which are on the east coast.
The default scope is unlimited and this scope is always assigned to the default CLOUD_ADMIN role and admin user. Scope is independent of other access control methods, for example, an ordinary user may have an unlimited scope but the USER role will only allow access to one enterprise. Scope is designed to restrict administrator access to resources, not user access. For example, if an administrator has a scope that includes Datacenter A, but their enterprise can deploy in Datacenter A and Datacenter B, then the user will only be able to administer Datacenter A, but they will be able to deploy in Datacenter A and Datacenter B.
From the Users view, if you have permission to manage scopes, you can manage the scopes to define administrator access to cloud resources. If you also have permission to manage roles, then you can assign scopes to roles on the Roles tab.
|Create a new scope|
|Remove an existing scope|
|Edit the selected scope|
Click the add button to create a new scope. By default, the new scope will contain the current user's scope. On the Enterprises and Datacenters pages, select the resources the scope will allow access to. You cannot create a scope greater than the scope assigned to your own role.
To create an unlimited scope for a resource group, first log in as a user with an unlimited scope. Then click on the scope page and tick one of the following checkboxes:
After ticking a "use all" checkbox, if then you wish to select an individual resource, first deselect the "use all" checkbox.
After you create a scope, if you have privileges to Manage Roles, then you can assign a scope to a role on the Scope association page of the Roles screen. See Manage Roles#Associate a Scope with a Role