Labeled Objects
Labeled objects, such as workloads are filtered by the scope of the user. On the Workloads page, you will only see the list of the workloads within the application scope. You cannot see any workloads that are outside the application scope. This applies to any labeled object, such as workloads, containers, Virtual Services, and Virtual Enforcement Nodes (VENs).
The menu functions and buttons change dynamically to reflect a user's permissions. If you are logged in as a Ruleset Manager, you are not allowed to manage workloads. So, all the workload-specific operations buttons are disabled. However, you are allowed to view the list of workloads within the scope and get details for individual workloads, except for Virtual Servers.
Note
While Virtual Servers are considered labeled objects, they are visible to all scoped users regardless of object scope.
Facet Searches and Auto-complete
The search bar with auto-complete and facets is scoped for labeled objects and policies. For example, you search for Application Labels, then you can only select the Application Labels under the assigned scope. This applies to other label types such as Environment labels and Location labels. However, Role labels are excluded since Role labels are not part of the user scope. The restriction of visibility by scope applies to facets such as hostname, IP address, and others. The search bar automatically filters the facets to the list of facets in the user's assigned scope.
Global Objects
Scoped users get full read-only visibility into all global objects. This includes IP Lists, services, labels, label groups, and user groups. However, scoped users are not allowed to create, modify, or provision global objects.
Note
Only Global Organization Owner and Global Administrator can create, modify, and provision global objects.