A Scope is always a list of resources that the platform uses to allow access in some way. The resources are tenants (enterprises) or cloud locations (datacenters).
An example of a basic scope is shown in the following screenshot. The NationalARegFG scope has two enterprises (RegionalAF and RegionalAG).
Each user has a scope. A user scope is a list of resources (enterprises and cloud locations) that the user can view and manage. Note that the user will usually also require other permissions to access these resources.
For example, an administrator can manage the users of the enterprises that are in their scope. So an administrator with the NationalARegFG scope can manage the users of the enterprises in the scope (RegionalAF and RegionalAG),.
A scope hierarchy is a tree of scopes with parent and child scope relationships.
The Abiquo UI displays a scope hierarchy as shown in the second column in the following screenshot.
To add a scope to a hierarchy, the administrator selects a parent scope. For example, the parent of the NationalARegFG scope is the NationalAandB scope.
The platform uses the scope hierarchy for two purposes: to enable administrators to share resources and for aggregate billing and reporting of multi-tenant organizations.
The administrator modifies the resource to share, such as a VM template, and assigns it one or more scopes.
Each scope is a list of enterprises. The platform allows all the users of the enterprises in the scope to access the resource.
So an administrator with the NationalAandB scope can select NationalARegFG to share resources.
In addition to VM templates, the administrator can share blueprints, which are called VApp specs (which is short for Virtual Appliance Specifications).
The cloud administrator has the default global scope, which has access to all enterprise tenants and cloud locations.
A scope can have unlimited access to enterprise tenants and/or cloud locations. This means that it has access to ALL current and future resources.
For example, if a scope has access to all cloud locations ("All datacenters"), then new public cloud regions will automatically be added to it.
A user can access a VM template to deploy if the user's enterprise is listed in the templates scopes.
However, to modify a template or spec resource, an administrator must log in to the enterprise that owns the resource.
The platform assigns the enterprise's default scope to all the new users that you create in the enterprise. Usually, you will want an enterprise to be within its own default scope, so that an administrator of the enterprise can manage the users. If you create the scope first, then you may need to add the enterprise afterwards.
The platform also uses the default scope for an enterprise that is the "headquarters" of a group of enterprises. The administrator marks the "headquarters" enterprise as the "key node". This enterprise must be within its default scope and at the top of a sub-hierarchy of scopes.
When an administrator creates a pricing model, the platform assigns the administrator's scope to the pricing model. To modify the pricing model, an administrator must have exactly the same scope as the original administrator.
To view the pricing model that is assigned to an enterprise, the user with pricing privileges must log in to the enterprise.
To designate a sub-hierarchy with an enterprise as the "headquarters" with other enterprises underneath it, the administrator creates or edits the enterprise and sets the "key node" flag. The key node enterprise must be in the default scope of the enterprise, which must be at the top of a sub-hierarchy.
The administrator can designate that an enterprise is a reseller, to enable this tenant to charge their customers for use of the platform. The reseller's customers must be in the hierarchy underneath the reseller in the reseller enterprise's default scope.