Restriction sets are a powerful feature of OnApp clouds: they are used to isolate and share resources between multiple users. In this post, I’d like to give you a quick overview of our restriction sets functionality, and how they can be used to resell and share resources in your OnApp cloud.
A restrictions set is like a customizable set of limitations: you can use them to create ‘sub-administrators’ who have pseudo-admin control over certain resources in your cloud.
You can restrict resources by billing plan – in which case, the sub-admin can only manage resources dictated by their billing plan – or you can restrict resources by user group, in which case they can only manage resources owned by users in their group.
Here’s a simple example. In OnApp you could create a user group called “Company A”, and then two users who are part of Company A. With the correct restriction sets and permissions, you can enable all users in Company A to manage all Virtual Servers (VS) belonging to that user group, no matter who actually created the VS.
Another way to use restriction sets to to create one “reseller admin” who is able to resell a given amount of cloud resource to their end users. The reseller admin would be able to view and manage all of their end users’ Virtual Servers, while each end user would only be able to see their own.
In this scenario, the reseller would not be able to create roles for their end users: they would still need to be created by a cloud administrator, and these end user roles would have the same permission set as standard OnApp users.
Restriction sets have many different uses. For example, OnApp’s own vCloud Director integration makes extensive use of restriction sets to replicate the functionality of vCloud Organization Administrator accounts, which need to have full access to an entire Organization, or a User Group inside of OnApp, in a vCD environment.
If you need any further help or advice with restriction sets, get in touch with your account manager or contact OnApp support. Thanks!