Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
Table of Contents

The Administration Scope feature is designed for administrator roles.  A scope defines the list of resources (datacenters and enterprises) that a role can view and administer. In contrast, the privileges assigned to a role define how the role can work with resources, for example, as a user or administrator.

Scopes Tab

0Manage scopes

The administration scope of an Abiquo role defines what resources the role can administer. Other access controls, such as allowed datacenters or VDC restriction may also apply but these are independent of scope because they apply to use not administration.

A role can only have one scope but a scope can belong to more than one role. The resources that can be assigned to a scope are:

  • enterprises
  • datacenters

Scope allows organizations to create administrators for groups of resources. For example, a global managed service provider could create a scope for country or region. For example, in Spain, an organization may have datacenters in Madrid, Barcelona, Valencia and Seville. An administrator for Spain would have access to all these datacenters, but the administrator for Eastern Spain would only have access to Barcelona and Valencia, which are on the east coast.

The default scope is unlimited and this scope is always assigned to the default CLOUD_ADMIN role and admin user. If you select the default scope from the Scopes list, the resources column are empty. This is because it includes all resources, so no resources are displayed.

Scope is independent of other access control methods, for example, an ordinary user may have an unlimited scope but the USER role will only allow access to one enterprise. Scope is designed to restrict administrator access to resources, not user access. For example, if an administrator has a scope that includes Datacenter A, but their enterprise can deploy in Datacenter A and Datacenter B, then the user will only be able to administer resources of Datacenter A, but they will be able to deploy in Datacenter A and Datacenter B.

Managing Scopes

0Manage scopes

From the Users view, if you have permission to manage scopes, you can access the Scopes tab and manage the scopes to define administrator access to cloud resources. If you also have permission to manage roles, then you can assign a scope to a role when editing the role.

Create or Modify a Scope

Click the add button to create a new scope. By default, the new scope will contain the current user's scope or the last scope the user created. In the popup, in the Enterprises and Datacenters columns, select the resources the scope will allow the user to administer. You cannot create a scope with more access than the scope assigned to your own role.

To create an unlimited scope for a resource group, first log in as a user with an unlimited scope. This means that you will not need to modify the scope when new resources are added to Abiquo.

  • Select allcheckbox:
    • Enterprises checkbox to use all enterprises in the scope. This will automatically include all enterprises in the current scope and add all new enterprises
    • Datacenters: use all datacenters in the scope. This will automatically include all datacenters in the current scope and add all new datacenters

After ticking a Select all checkbox, if then you wish to select an individual resource, first deselect the Select all checkbox.

Assigning a Scope to a Role

After you create a scope, if you have privileges to Manage Roles, then you can assign a scope to a role when editing the Role from the Roles tab. See Manage Roles#Associate a Scope with a Role