An Abiquo scope is always a list of resources that the platform uses to allow access in some way. The resources are tenants (enterprises) or cloud locations.
An example of a basic scope is the following NationalARegFG with two enterprises (RegionalAF and RegionalAG).
A user scope is a list of resources (enterprises and cloud locations) that the user can view and manage. Note that the user must also have other permissions to access these resources.
So an administrator can manage the users of the enterprises that are in their scope.
For example, an administrator with the NationalARegFG scope can manage the users of the enterprises in the scope (RegionalAF and RegionalAG),.
A scope hierarchy is a tree of scopes with parent and child scope relationships.
To add a scope to a hierarchy, the administrator selects a parent scope. For example, the parent of the NationalARegFG scope is the NationalAandB scope.
The platform uses the scope hierarchy for two purposes: to enable administrators to share resources and for aggregate billing and reporting of multi-tenant organizations.
Here is an example of a scope hierarchy.
The administrator modifies the resource to share, such as a VM template, and assigns it one or more scopes.
Each scope is a list of enterprises. The platform allows all the users of these enterprises to access the resource.
So an administrator in NationalAandB can share VM templates with NationalARegFG.
In addition to VM templates, the administrator can share blueprints, which are called VApp Specs (which is short for Virtual Appliance Specifications).
The platform uses the scope hierarchy for aggregate billing and reporting for multi-tenant organizations.
To designate that an enterprise is the "headquarters" of a group of organizations that are underneath it in the hierarchy, the administrator sets the "key node" flag.
The administrator can designate that an enterprise is a reseller, to enable this tenant to charge their customers for use of the platform.
The cloud administrator has the default global scope, which has access to all enterprise tenants and cloud locations.
A scope can have unlimited access to enterprise tenants and/or cloud locations. This means that it has access to ALL current and future resources.
For example, if a scope has access to all cloud locations ("All datacenters"), then new public cloud regions will automatically be added to it.