I received a patch from the VMware support team: VMware-vRO-Appliance-126.96.36.1993-13917939-updaterepo.iso
When you are an Admin (part of the admin AD group in the VSPHERE authentication setup) you can see a new section "Groups" in the HTML5 UI under "Administrator"
This allow you to create "vRO Groups" and to assign AD Users or AD Groups + defining which Workflows this vRO group can run.
However it seems to only supports "run" role at the moment.
If you need edit, I think you must be an Admin.
Unfortunately for us this is a blocker as we have many AD groups that needs "edit" role to create workflows.
They had screwed up the import of groups in the fix they sent me.
After some back and forth they fixed it in a more recent .iso.
However, after drilling into things more, it has become clear they broke much more under the hood.
They simplified the roles into "admin" and "run"
That's not enough.
I created workflows that enabled our OS admins to run workflows against the VMs under THEIR groups/folders.
The Linux guys couldn't run their workflows against the VMs in the windows folders and vice versa.
Now, with the "simplified" roles the Linux guys can see and run workflows against any VMs in the infrastructure.
That's not going to fly AT ALL.
I brought this to the developer's attention and their response was:
"The connections to > vSphere must be configured to use session per user instead of a shared session. This means the user cannot escalate his/her permissions > when performing vSphere operations."
That is also NOT going to fly. My workflows simply will not work anymore.
In essence, they have completely broken all of the work I put into this and rendered Orchestrator useless in our environment.
Worse, they have proven I can't trust VMWare not to take away a feature I came to rely on in order to sell it back to me in some other product.