A Scope is always a list of resources that the platform uses to allow access in some way. The resources are tenants (Enterprises) or cloud locations including datacenters and public cloud regions (called Datacenters).
An example of a basic scope is a scope called NationalARegFG with two enterprises called RegionalAF and RegionalAG.
Every user has a scope. A user scope is a list of resources (enterprises and cloud locations) that the user can view and manage. Note that the user will usually also require other permissions to access these resources.
For example, an administrator can manage the users of the enterprises that are in their scope. So an administrator with the tenant6scope scope can manage the users of the enterprises in the scope (say tenant6A and tenant6B),.
The administrator modifies the resource to share, such as a VM template, and assigns it one or more scopes. Each scope is a list of enterprises. The platform allows all the users of the enterprises in the scope to access the resource.
In addition to VM templates, the administrator can share blueprints, which are called VApp specs (which is short for Virtual Appliance Specifications).
The cloud administrator has the default global scope, which has access to all enterprise tenants and cloud locations. You cannot change the cloud administrator's scope.
A scope can have unlimited access to enterprise tenants and/or cloud locations. This means that it has access to ALL current and future resources.
For example, if a scope has access to all cloud locations ("All datacenters"), then new public cloud regions will automatically be added to it.
Sometimes, the platform controls the management of resources in a different way to the use of resources. For example, for VM templates. A user can access a VM template to deploy if the user's enterprise is listed in the templates scopes. However, to modify a template or spec resource, an administrator must log in to the enterprise that owns the resource. And the administrator will require access to the cloud location where the resource is located (as an "Allowed datacenter or public cloud region"). To modify a pricing model, the administrator must have the same scope as the user that created the pricing model.
The platform assigns the enterprise's default scope to all the new users that you create in the enterprise. Usually, you will want an enterprise to be within its own default scope, so that an administrator of the enterprise can manage the users. (If you create the scope first, then you may need to add the enterprise afterwards). Note that an administrator can create a user with the enterprise scope, even if that scope is greater than their own user scope.
The platform also uses the default scope for an enterprise that is the "headquarters" of a group of enterprises. The administrator marks the "headquarters" enterprise as the key node in its hierarchy. The enterprise must be within its default scope that is at the top of a sub-hierarchy of scopes.
When an administrator creates a pricing model, the platform assigns the administrator's scope to the pricing model. To modify the pricing model, an administrator must have exactly the same scope as the original administrator who created the pricing model.
To view the pricing model that is assigned to an enterprise, an administrator with pricing privileges must log in to the enterprise.
A scope hierarchy is a tree of scopes with parent and child scope relationships.
Diagram of a scope hierarchy
Example of a scope hierarchy in the user interface
To add a scope to a hierarchy, the administrator selects a parent scope when creating or editing the scope.
The platform uses the scope hierarchy for two purposes: to enable administrators to share resources and for aggregate billing and reporting of multi-tenant organizations.
To designate a sub-hierarchy with an enterprise as the "headquarters" with other enterprises underneath it, the administrator creates or edits the enterprise and sets the "key node" flag. The key node enterprise must be in the default scope of the enterprise, which must be at the top of a sub-hierarchy.
The administrator can designate that an enterprise is a reseller, to enable this tenant to charge their customers for use of the platform. The reseller's customers must be in the hierarchy underneath the reseller in the reseller enterprise's default scope.