Orchestrator controls access to its functionality with the help of scopes. A scope defines what operations users can perform and what range of data is available to them in the Orchestrator UI.
For a scope, you can:
- Assign user roles to users from that scope. A user role limits the number of operations available in the Orchestrator UI to users with that role. Role-based access is controlled by adding Active Directory users and groups to the relevant role in the Orchestrator UI.
There are 3 roles that can be assigned to users and user groups working with the Orchestrator UI: Administrator, Plan Author and Plan Operator. For the role descriptions, see Roles.
Orchestrator already provides one out-of-the-box Admin Scope. If you want to provide more granular permissions to users managing resources of the Orchestrator server, you can create a new scope. However, you will be able to assign only the Plan Author and Plan Operator roles to users added to the scope.
Plan Authors and Plan Operators in the Admin Scope have additional privileges compared to users in scopes that you create manually (for example, Plan Authors in the Admin Scope can edit any plan for any other scope, and Plan Operators in the Admin Scope can run any plan for any other scope).
- Limit the number of inventory items available in the Orchestrator UI to users from that scope. Inventory items are then used to create orchestration plans.