Unfortunately I have the same issue.
Even more unfortunately I came across this little gem:
“ Role- and group-based permissions are only available if you configure your Orchestrator instance with vRealize Automation authentication.”
I am hoping that I am misunderstanding something, but it really seems like they removed the ability to manage roles in orchestrator unless you are using vRealize Automation.
So, I am pretty furious. I have been speaking with a VMWare support rep about this issue and he confirmed what I thought.
VMWare has removed permissions and roles for Orchestrator UNLESS you are using vRA for authentication.
I have spent a lot of time implementing this feature that was included in the product we have purchased and paid maintenance on for YEARS.
The workflows i have created have become part of our business practices, and our OS admins have come to rely on them.
Now VMWare has removed this feature, and in order to get it back we have to spend an enormous amount of money on additional licensing and maintenance for vRA?
What are they going to do next? remove vMotion so they can sell that back to us in another product?
Sorry. I'm super ticked. All the workflows I have created for our OS admins no longer work. Thanks a lot VMWare!
Why not just roll back to vRO 7.5? What really are you gaining with 7.6 in that case?
Yeah, I am going to roll back to 7.5
But thats not really a long-term solution is it?
Eventually future vCenter versions will no longer be supported by 7.5
It's probably not a long term solution, no, but you can expect 7.5 to probably work with vCenter for quite enough time. Gives you enough lead time to figure out how (or if) you can modify vRO to your needs given the removal of that feature.
I also noticed that in the release notes recently, installed 7.6 to check it out, and noticed that permissions management is missing from the vRO thick client. The options are simply not in the menus anymore. I've been meaning to ask our TAM about this because it just doesn't seem right. I thought I had to be misunderstanding something or missing a feature somewhere.
This leads me to believe that the effect is that it is now not possible to delegate the ability to execute vRO workflows from vCenter. As in, it is 100% impossible to grant a user read (or any other role) in vCenter, grant that user permission to a workflow, and allow that user to execute the workflow from vCenter, whether through context menu action or from the vRO plugin from the home screen. If I'm understanding things correctly and that is really what was done, then this ranks slightly below vRAM licensing as one of VMware's dumbest blunders to date. In fact, this would be so stupid that I could hardly believe such a direction would be approved for the product suite.
Please tell me I'm wrong about this. Delegating workflow execution and vRO/vCenter integration with context sensitivity has been the "killer app" for vRO since its inception. It's quite literally the only reason we use vRO. If I can't present workflows to users, what's the point of having workflows in the first place?
That is exactly what it means, and is how I found out.
I had created many workflows for our OS Admins.
These OS Admins had read and execute permissions, but not Administrator rights in vRO.
I didnt read the docs adequately before upgrading, and did not notice a problem until my customers started coming to me saying their workflows were not running.
I thought maybe the upgrade had hosed the permissions on some actions the workflow called, and when I went to fix the permissions... SURPRISE!
The permissions edit tabs were gone!
It really does feel like VMWare is trying to strong-arm their customers in buying vRA.
It's not the first time they have removed a feature only to try selling it back to us in another product, but it is the first time I have personally invested a lot of time into developing processes with one of the features they have done this with, so I am more than a little annoyed.
My recommendation is to do what I have done and contact your account manager and raise holy hell.
I do not use standalone vRO but does this help (from the same document)?
Users from the Orchestrator identity provider with no defined roles can still log in to the client, but have limited access to client features. If they are part of a group, they can view and run content associated with that group.
The same restriction seemed to be applicable in 7.5, what is changed in 7.6?
Configure a vRealize Orchestrator server with vRealize Automation authentication. For more information, see Installing and Configuring vRealize Orchestrator.
For the support rep I have been in contact with:
"I finally tracked down the Project Manager for the product and they have a problem report opened with our developers for this issue: "vRO7.6 does not allow AD admins to configure ROLE/GROUP management options in html5 web client"
I am told they have looked at it and are releasing a patch that should enable groups for vSphere users"
Do you have some information about the patch?
I have not tried the patch yet myself, but they claim that fixes the issue
Unless you received this from a public KB, people reading this should probably check with GSS before they go about slinging patches onto their systems, especially without any notes or guidance of any sort.
daphnissov is correct. I actually regretted posting that right after I did it, but I couldn't find a way to delete it.
In any case, don't bother installing it as it does not fix the issue.