Hi all,
we have configured an "APPROVAL POLICY" for the Action DAY-2 : Destroy deployment.
When we select APPROVERS > Determine approvers from the request : Business group > Managers
we encountre this error :
We don't see any log in a CATALINA.OUT. SOURCE > https://blogs.vmware.com/management/2018/01/debug-tips-vra-7-x-entitlements.html
Do you have an idea how can DEBUG this error please ?
Thx for your help.
Yep,
here the feedback of vMware support team....
These are the steps I have followed:
-Created a new AD user called Manager_User
-Created a new AD group called Manager_Group and added Manager_User to this group
-Created a new AD user called Regular_user
-Created a New BG called Manager_Approval_BG
-Added Manager_Group to the Manager Role on Manager_Approval_BG
-Added Regular_User to the User role on Manager_Approval_BG
-Associated catalog items and reservations to the new BG
-Created approval policy Destroy_Manager_Approval
Approvers: Determine Approvers from the request
Business Group>Managers>Group
Policy Type: Service Catalog - Resource Action Request - Destroy - Deployment
After that I deployed few VMs as Regular_User and, after the deployment succeed, I tried to destroy the deployment. When I did that the user Manager_User received an e-mail asking to approve this action. That is the expected scenario.
And that's works but just when you create a new BG only. :smileyangry:
For the old BG, it's not possible to repair the approvals policy. :smileycry:
Do you actually have a business group manager specified for the BG where this user is requesting? If so, does that/those user(s) have their email address specified in their AD account profile?
YEP thx for your response 😉
The BG has a BG manager AD group assigned :
and the user has an email address in Active Directory :
I haven't tried, but I think the BG Manager role needs to be an individual user account or else an email distribution list associated with that AD group. Otherwise, vRA doesn't know from whom to solicit an approval in a group.
When we configure the approval policy with this :
the approval is sended to the user manager attribut in Active Directory :
ACTIVE DIRECTORY :
REQUEST in vRA is sended to the Manager of User in Active Directory :
Seriously vRA check the Active Directory attribut "MANAGER".
You think is possible to by pass this check ?
Is this the email you've specified in the "Send manager emails to:" field on the business group's configuration?
NOP :
It's not possible to BYPASS this check in ACTIVE DIRECTORY ?
With a custom property or other to force the approval with a BG manager :smileyblush:
I just checked in my 7.3 environment and it does look up members of a group to send approval notifications. What version are you on? You're just getting this error on a day 2 action that has an approval from business group managers? But requests that require BG manager approval goes out fine?
- vRA 7.3.1
- You're just getting this error on a day 2 action that has an approval from business group managers : YES
we have only this approval policy actually ....
Nooooooooooooooooooooooooooo :smileyangry:
Mapped Attributes provide a way of adding provider-specific attributes into vRA’s logic. For example, mapping the “Manager” attribute from Active Directory will expose the associated field/data to vRA’s approval engine, allowing the listed manager to be notified during the governance workflow. Attributes can be added or changed in the User Attributes section.
SOURCE : http://www.virtualjad.com/2015/11/vrealize-automation-7-part-5-identity-management.html
vRA check the Active Directory MANAGER to send is request :smileyshocked: and not the BUSINESS GROUP MANAGER in vRA........
That may be an *IF* condition. As I said, if you don't have this attribute supplied and you do have an email address associated with an AD security group which has been granted the BG manager role, approval emails will go to that address.
Do you know if there is detailed documentation about the option : Determine approvers from the request
all documentations found, speaks only about the option : Specific users and groups.
Thx.
I'm not sure, but the behavior for that is as I described.
It will look up the BG manager associated with the user making the request. It will dispatch an approval request email to all managers that have an email address set in their AD attribute, and this goes for security groups as well. If an email address is not associated with any of those AD objects, it will fail to send email.
Ok thanks for these details .... We will continue to search where we make a mistake.
If you have your vRA logs pointed at Log Insight, it's simple to build a query to get insight on your approvals and where things are going wrong. Add the hostname and search for the string "csp.catalog.notifications" because this is the base service responsible for notifications. It's really easy to see what's going on and where things are wrong.
We have it ...... You are the boss 😉 thx.
When we request a destruction with approval ploicy applied ....We found this error
2018-04-0512:13:05.081
2018-04-05 10:13:05,081 vcac: [component="cafe:catalog" priority="ERROR" thread="tomcat-http--25" tenant="smartcloud-dev" context="ezUcGQUK" parent="0HMoPKZt" token="YLy8De8A"] com.vmware.vcac.platform.content.data.provider.CompositeDataProvider.getData:60 - Error retrieving data from component provider with prefix: organization.subTenant~ com.vmware.vcac.platform.content.exceptions.RemoteEvaluationException: Error retrieving data for class [subtenant] and id [d73b0a55-d412-4806-a415-a300d321140f] at com.vmware.vcac.platform.content.data.provider.ExternalDataProvider.getData(ExternalDataProvider.java:101) ~[platform-content-7.3.1-SNAPSHOT.jar:?] at com.vmware.vcac.platform.content.data.provider.CompositeDataProvider.getData(CompositeDataProvider.java:55) [platform-content-7.3.1-SNAPSHOT.jar:?] at com.vmware.vcac.platform.content.data.provider.RequestTransformingDataProvider.getData(RequestTransformingDataProvider.java:47) [platform-content-7.3.1-SNAPSHOT.jar:?] at com.vmware.vcac.platform.content.data.AbstractDataAndSchemaService.getData(AbstractDataAndSchemaService.java:36) [platform-content-provider-7.3.1-SNAPSHOT.jar:?]
at com.vmware.vcac.platform.rest.client.error.ResponseErrorHandler.handleError(ResponseErrorHandler.java:61) ~[platform-rest-client-7.3.1-SNAPSHOT.jar:?] at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:707) ~[spring-web-4.3.13.RELEASE.jar:4.3.13.RELEASE] at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:660) ~[spring-web-4.3.13.RELEASE.jar:4.3.13.RELEASE] at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:620) ~[spring-web-4.3.13.RELEASE.jar:4.3.13.RELEASE] at org.springframework.web.client.RestTemplate.postForObject(RestTemplate.java:387) ~[spring-web-4.3.13.RELEASE.jar:4.3.13.RELEASE] at com.vmware.vcac.platform.rest.client.impl.RestClientImpl.post(RestClientImpl.java:403) ~[platform-rest-client-7.3.1-SNAPSHOT.jar:?] at com.vmware.vcac.platform.content.data.provider.ExternalDataProvider.getData(ExternalDataProvider.java:92) ~[platform-content-7.3.1-SNAPSHOT.jar:?] ... 98 more
source event_type filepath hostname product appname component vmw_vra_cafe_components priority thread tenant context token vmw_vra_events_message log_message
2018-04-0512:13:05.000
127.0.0.1 [05/Apr/2018:10:13:05 +0000][31 ms] "POST /identity/api/data-service/data/subtenant/d73b0a55-d412-4806-a415-a300d321140f HTTP/1.1" 404 272 [tomcat-http--41]
2018-04-0512:12:18.000
127.0.0.1 [05/Apr/2018:10:12:18 +0000][15 ms] "GET /identity/api/tenants/smartcloud-dev/principals/VRA_ASSET_GRP_MANAGER@p.com/ HTTP/1.1" 404 171 [tomcat-http--19]
If you have an IDEA
this is the FULL log @LogInsight when we request "DETROY Virtual Machine"
2018-04-0514:16:23.832
2018-04-05 12:16:23,832 vcac: [component="cafe:approvals" priority="INFO" thread="queue-pool-executer-1" tenant="smartcloud-dev" context="1Cv6TQYf" parent="3uajj3OQ" token="a2pDj8KG"] com.vmware.vcac.core.approvals.service.impl.ApprovalProcessor.processRequestedItemApprovalInternal:147 - RequestedItemApproval [RequestedItemApprovalId="99d97f19-7ce2-4fb8-809d-95610111c9d3" RequestedItemName="" RequestedFor=""] : Beginning the level evaluation for Requested Item Approval
2018-04-0514:16:23.836
2018-04-05 12:16:23,836 vcac: [component="cafe:approvals" priority="INFO" thread="queue-pool-executer-1" tenant="smartcloud-dev" context="1Cv6TQYf" parent="3uajj3OQ" token="a2pDj8KG"] com.vmware.vcac.core.approvals.service.evaluation.ApprovalEvaluator.evaluate:40 - RequestedItemApproval [RequestedItemApprovalId="99d97f19-7ce2-4fb8-809d-95610111c9d3" RequestedItemName="{com.vmware.csp.core.cafe.catalog@request.action.name,[{{com.vmware.csp.component.iaas.proxy.provider@resource.action.name.virtual.Destroy}},{lxa088}]}" RequestedFor="MyUserName@fqdn.com"] : Starting evaluation of requested item approval
2018-04-0514:16:23.837
2018-04-05 12:16:23,837 vcac: [component="cafe:approvals" priority="INFO" thread="queue-pool-executer-1" tenant="smartcloud-dev" context="1Cv6TQYf" parent="3uajj3OQ" token="a2pDj8KG"] com.vmware.vcac.core.approvals.service.evaluation.ApprovalLevelEvaluator.evaluate:67 - ApprovalLevel [LevelNumber = "1", Name ="Manager"] : Criteria met for Approval Level
2018-04-0514:16:23.858
2018-04-05 12:16:23,858 vcac: [component="cafe:catalog" priority="INFO" thread="tomcat-http--41" tenant="smartcloud-dev" context="1Cv6TQYf" parent="a2pDj8KG" token="cmQQZn7J"] com.vmware.vcac.catalog.provider.gateway.impl.ProviderResolverImpl.resolveProvider:42 - Request [RequestId ="e80c6e04-b558-4782-90a4-6f86264240a5" TenantName="smartcloud-dev" SubtenantName="BG_ASSET"] : Resolving provider for request
2018-04-0514:16:23.901
2018-04-05 12:16:23,901 vcac: [component="cafe:identity" priority="ERROR" thread="tomcat-http--32" tenant="smartcloud-dev" context="1Cv6TQYf" parent="cmQQZn7J" token="XdbzUuwD"] com.vmware.vcac.authentication.service.impl.PrincipalWrapperFactoryImpl.create:60 - Could not find principal 'MyBG_Manager_AD_Group@fqdn.com' in tenant 'smartcloud-dev'
2018-04-0514:16:23.904
2018-04-05 12:16:23,904 vcac: [component="cafe:catalog" priority="ERROR" thread="tomcat-http--41" tenant="smartcloud-dev" context="1Cv6TQYf" parent="a2pDj8KG" token="cmQQZn7J"] com.vmware.vcac.platform.content.data.provider.CompositeDataProvider.getData:60 - Error retrieving data from component provider with prefix: organization.subTenant~
com.vmware.vcac.platform.content.exceptions.RemoteEvaluationException: Error retrieving data for class [subtenant] and id [d73b0a55-d412-4806-a415-a300d321140f]
at com.vmware.vcac.platform.content.data.provider.ExternalDataProvider.getData(ExternalDataProvider.java:101) ~[platform-content-7.3.1-SNAPSHOT.jar:?]
at com.vmware.vcac.platform.content.data.provider.CompositeDataProvider.getData(CompositeDataProvider.java:55) [platform-content-7.3.1-SNAPSHOT.jar:?]
at com.vmware.vcac.platform.content.data.provider.RequestTransformingDataProvider.getData(RequestTransformingDataProvider.java:47) [platform-content-7.3.1-SNAPSHOT.jar:?]
at com.vmware.vcac.platform.content.data.AbstractDataAndSchemaService.getData(AbstractDataAndSchemaService.java:36) [platform-content-provider-7.3.1-SNAPSHOT.jar:?]
2018-04-0514:16:23.923
2018-04-05 12:16:23,923 vcac: [component="cafe:approvals" priority="INFO" thread="queue-pool-executer-1" tenant="smartcloud-dev" context="1Cv6TQYf" parent="3uajj3OQ" token="a2pDj8KG"] com.vmware.vcac.core.approvals.service.evaluation.DefaultPrincipalResolver.convertToPrincipals:168 - The value of field path organization.subTenant~ROLE_CSP_SUBTENANT_MANAGER~asGroup returned by the provider is null
2018-04-0514:16:23.923
2018-04-05 12:16:23,923 vcac: [component="cafe:approvals" priority="ERROR" thread="queue-pool-executer-1" tenant="smartcloud-dev" context="1Cv6TQYf" parent="3uajj3OQ" token="a2pDj8KG"] com.vmware.vcac.platform.rest.client.support.RetriableOperation.call:94 - Exception thrown is unexpected during retry operation with message 'Approval Policy [V00_Destroy Virtual Machine] : Approver resolution encountered problems for level Manager. Details are provided.'
2018-04-0514:16:23.924
2018-04-05 12:16:23,924 vcac: [component="cafe:approvals" priority="ERROR" thread="queue-pool-executer-1" tenant="smartcloud-dev" context="1Cv6TQYf" parent="3uajj3OQ" token="a2pDj8KG"] com.vmware.vcac.core.approvals.service.impl.ApprovalHelper.performOperation:167 - Encountered runtime error for Requested Item Approval [99d97f19-7ce2-4fb8-809d-95610111c9d3] while performing operation [evaluation] caused by [[Error code: 80037 ] - [Error Msg: Approval Policy [V00_Destroy Virtual Machine] : Approver resolution encountered problems for level Manager. Details are provided.]]
com.vmware.vcac.core.approvals.exception.ApproverMaterializationException: Approval Policy [V00_Destroy Virtual Machine] : Approver resolution encountered problems for level Manager. Details are provided.
at com.vmware.vcac.core.approvals.service.evaluation.ApprovalLevelEvaluator.materializePrincipals(ApprovalLevelEvaluator.java:164) ~[classes/:?]
2018-04-0514:16:23.953
2018-04-05
12:16:23,953 vcac: [component="cafe:approvals" priority="INFO"
thread="queue-pool-executer-1" tenant="smartcloud-dev"
context="1Cv6TQYf" parent="3uajj3OQ" token="a2pDj8KG"]
com.vmware.vcac.core.approvals.service.impl.ApprovalProcessor.processRequestedItemApprovalInternal:152
- RequestedItemApproval
[RequestedItemApprovalId="99d97f19-7ce2-4fb8-809d-95610111c9d3"
RequestedItemName="" RequestedFor=""] : Finished the level evaluation
for Requested Item Approval2018-04-0514:16:23.954
2018-04-05
12:16:23,954 vcac: [component="cafe:approvals" priority="INFO"
thread="queue-pool-executer-1" tenant="smartcloud-dev"
context="1Cv6TQYf" parent="3uajj3OQ" token="a2pDj8KG"]
com.vmware.vcac.core.approvals.service.impl.ApprovalProcessor.processRequestedItemApprovalInternal:154
- RequestedItemApproval
[RequestedItemApprovalId="99d97f19-7ce2-4fb8-809d-95610111c9d3"
RequestedItemName="" RequestedFor=""] : Creating work item and/or
notifying requesting service for Requested Item Approval2018-04-0514:16:23.970
2018-04-05
12:16:23,970 vcac: [component="cafe:catalog" priority="INFO"
thread="tomcat-http--8" tenant="smartcloud-dev" context="1Cv6TQYf"
parent="a2pDj8KG" token="DXxR0lmr"]
com.vmware.vcac.catalog.service.impl.RequestServiceImpl.requestApprovalEvent:695
- Request [RequestId ="e0bc76c7-0452-457c-a72f-8c361e5c7d8e"
TenantName="" SubtenantName=""] : Received approval event
{APPROVAL_COMPLETION} for Request with ApprovalId
{a8fa5e31-a067-424b-a4ee-26ee7fc4607d}.2018-04-0514:16:23.973
2018-04-05
12:16:23,973 vcac: [component="cafe:catalog" priority="INFO"
thread="tomcat-http--8" tenant="smartcloud-dev" context="1Cv6TQYf"
parent="a2pDj8KG" token="DXxR0lmr"]
com.vmware.vcac.catalog.service.impl.RequestServiceImpl.updateRequestOnApprovalEvent:727
- ResourceActionRequest [RequestId
="e0bc76c7-0452-457c-a72f-8c361e5c7d8e"
ResourceId="aad5cd5a-526a-46d4-b0fd-508ee69336c0" ResourceName="lxa088"
ResourceActionId= "d0e1c045-1608-4d9a-9aa3-1b7cebf4a1a1"
ResourceActionName="{com.vmware.csp.component.iaas.proxy.provider@resource.action.name.virtual.Destroy}"
TenantName="smartcloud-dev" SubtenantName="BG_ASSET"] : Update request
according to approval evaluation state {IN_ERROR}.
2018-04-0514:16:23.974
2018-04-05 12:16:23,974 vcac: [component="cafe:catalog" priority="INFO" thread="tomcat-http--8" tenant="smartcloud-dev" context="1Cv6TQYf" parent="a2pDj8KG" token="DXxR0lmr"] com.vmware.vcac.catalog.notifications.NotificationQueuePublisherImpl.send:31 - ResourceActionRequest [RequestId ="e0bc76c7-0452-457c-a72f-8c361e5c7d8e" ResourceId="aad5cd5a-526a-46d4-b0fd-508ee69336c0" ResourceName="lxa088" ResourceActionId= "d0e1c045-1608-4d9a-9aa3-1b7cebf4a1a1" ResourceActionName="{com.vmware.csp.component.iaas.proxy.provider@resource.action.name.virtual.Destroy}" TenantName="smartcloud-dev" SubtenantName="BG_ASSET"] : Publishing notification event for scenario {REQUEST_FAILED}
On the Default Tenant with ADMINISTRATOR account we can see these two errors :