Skip to end of metadata
Go to start of metadata

New default M_USER role in Abiquo 3.0

The OUTBOUND_API role is a new role that provides the required permissions for the user that will access and store Events in Abiquo as and stream them in the Outbound API.
The role was called M_ROLE in Abiquo 3.0 RC3


Abiquo user management has a flexible concept of roles associated with privileges. Each user is assigned a role and that role is assigned a set of privileges to grant access to different cloud features.

Abiquo provides a set of default roles (CLOUD_ADMIN, ENTERPRISE_ADMIN and USER) and these can be cloned and modified to create new roles. The default CLOUD_ADMIN role cannot be modified. You can also create roles and match them to LDAP groups for automatic user creation and role assignment.

The Administration Scope of a role defines the resources (such as datacenters and enterprises) that the role can view, access and administer. The privileges assigned to the role define how the role can work with the resources, for example, as a user or administrator.

Roles Tab

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource RolesResource.

In Users View, if you have permission to access the Roles tab, manage the roles that will allow access to the platform using the control buttons at the top of the roles list. Assign privileges to a role in the Privileges pane. If you have permission to manage scopes, when you create or edit a role, associate a scope with the role to define the set of resources that a user with this role can access.

Default Roles

Default Role



Manages the physical infrastructure and configurations in order to offer a cloud service. The privileges of the default role cannot be modified and there is a default "admin" user with this role that cannot be modified and with an unlimited scope that cannot be modified. This role can be cloned and modified, for example, to set administration scope that restricts an administrator to certain datacenters and enterprises.


Manages configurations at enterprise level and grants access to other enterprise users. This role is for users that are responsible for an enterprise to manage their cloud services. By definition, users with this role are restricted to administering their own enterprise.


Manages the virtual appliances of an enterprise. Typically, this role is for users working with the cloud service. By definition, users with this role are restricted to their own enterprise.

OUTBOUND_APIUser for the M module that stores Events in the API and streams them in the Outbound API. The default privileges of this role allow it to read all events.

Cloud Admin Role

The Cloud Admin default role cannot be modified and the scope cannot be changed from the default


Create or Modify a Role

A user can only have one role. You cannot have more than one role of the same name in the same enterprise. Roles in different enterprises can have the same names. If you have permission to manage roles, create a role by clicking the add button or modify a role by clicking the edit button and complete the form:

To clone a role, click the clone button. By default the new role will have "Copy:" added to its name, for example, "Copy: CLOUD_ADMIN".

Enterprise Roles and Global Roles

Abiquo allows you to create enterprise roles and global (or system) roles. If you have the Manage global role privilege, when you create a role, you can specify an enterprise or mark the checkbox to make the role global. A global role will be available in all enterprises. If you have the "Associate role with enterprise" privilege but not the Create global role privilege, you can only create roles associated with an enterprise. In the Role list, global roles will appear with the text (global) and enterprise roles will appear only if their enterprise is selected in the Enterprises list.


Feature Behavior

A user whose role has the Create global role privilege can create global roles.
A user whose role has the Associate role with enterprise privilege can only create roles associated with an enterprise.

LDAP Groups


If you have the Specify LDAP group privilege, associate a role with an LDAP/AD group. When LDAP authentication is activated, a user's role will be determined by the group that they are a member of. In LDAP/AD users should be a member of one group only, because they may only have one role in Abiquo. Please see the Administrator's Guide for further information about LDAP and Active Directory Integration.

Associate a Scope with a Role

When you create a role, the default scope is unlimited. If you have the Manage scopes privilege, you can set a scope for the role:

  • Create a new role or edit an existing role
  • Select a scope from the pull-down list  
  • Click Save to continue.

See the Create or Modify a Role section above

  • No labels