Skip navigation

Realize Orchestrator  (vRO) is workflow engine that allows you to extend the capabilities of vRA Cloud services. It is used as integration endpoint between vRA Cloud services and other third parties running on-prem or in the cloud. vRO comes bundled with set of commonly used plugin's (vSphere, Active Directory, Power Shell, REST...) to help you automate your existing business processes. For example one common scenario could be on-boarding of new employee. In such case usually there is set of resources that need to be provision and often an approval is required for them. Will concentrate on the approvals part and implement "Custom Approval policy" using vRO and popular issue tracking system "JIRA".


User requests a machine. Before machine is provisioned approval need to be granted.




  • User logins in vRA Cloud and requests a machine.
  • JIRA ticket is created  and assigned to authorized party.
    • If  JIRA ticket is APPROVED then proceed with the request
    • if  JIRA ticket is REJECTED machine request is also rejected.


Solution overview

Create blocking subscription "Wait for Approval" and attach it to "Compute Allocate" phase. When subscription is triggered it will invoke a vRO workflow "Wait for approval" to create JIRA ticket and assign it for approval. vRO workflow "Wait for approval" will wait for JIRA ticket status to reach "APPROVED" or "REJECTED" state before unblocking the deployment.


For the impatient

  • JIRA Create test JIRA project. Make sure to use "Process Management" template and project key is "VRO"
  • VRO Import  com.vmware.jira.approval.package.
  • VRO Add vRO REST Endpoint "Approvals JIRA" using "Library→ HTTP-REST→Add a Rest host" workflow pointing to your JIRA Server.
  • VRO Edit Configuration "com→ vmware→ Jira→ JiraApprovalConfiguration"
    • Set jiraHost to  "Approvals JIRA" REST host
    • Update jiraProjectKey  to match your JIRA project key.
  •   VRA CLOUD  Create Extensibility Subscription "Wait for approval"
    • Event Topic is "Compute Allocate".
    • Runable Item is set to vRO Workflow - "Wait for approval"
    • Blocking is enabled
  •   VRA CLOUD  Set Projects→Your Project→Provisioning->Request Timeout
  • Test it!
    •   VRA CLOUD  Request a machine deployment
    • JIRA Check Jira project for the approval issue and Approve it or Reject it!
    •   VRA CLOUD  Check the status of your deployment.


JIRA      Action is performed inside JIRA server

  VRO         Action is performed inside vRO server

  VRA CLOUD       CLOUD Action is performed inside vRA Cloud


Approvals Configuration & Demo ...


Continue reading for more detailed look at the solution...


JIRA Integration

JIRA has nice REST API and vRO already comes bundled with REST plugin so let's use it!First step is to create new JIRA project for the approvals demo.  I choose to use "Process Management" template since it comes out of the box with default JIRA server installation and correspond well with our use case. It has "APPROVED" and "REJECTED" status in default workflow. If you choose to use different template make sure to update "JiraApprovalConfiguration" accordingly.



Once we already have JIRA project to work with next step is to add JIRA server as vRO REST Endpoint. This enables vRO Server communication with JIRA server and we will use it to create new issues and track their status.

Inside vRO Client navigate to "Library→ HTTP-REST→Add a Rest host" workflow and run  it.

Provided Name, URL,  authentication method and credentials valid for your JIRA server. I am using local JIRA server with Basic authentication which makes the task trivial.

After "Add a Rest host" completes successfully you should be able to see new REST endpoint (in my case  I named it "Approvals JIRA")  under HTTP REST plugin inventory.

Add a REST host.pngAdd a REST host - successfull.png

4.1. Approvals package

We will need couple of workflows and actions to complete the integration with JIRA.

In vRO Client navigate to Packages view and import package com.vmware.jira.approval.package.


Import Approvals package.png


Lets take a closer look at package content.


  • createJiraIssue    - Performs actual POST request to JIRA server to create new issue.
  • getIssue              - Contacts JIRA server and returns details for specific issue. Used for Issue status tracking.
  • dumpProperties -  Print incoming vRO inputs


  • "Wait for approval" - Entry point of our integration. When invoked it will create JIRA issue and start waiting till issue reach REJECTED or APPROVED state.
  • "JIRA - Wait on issue status" - Helper workflow to wait till Jira issue reaches specified state..


  •      createIssue.json - JSON template for create issue POST request to JIRA server.


  • JiraApprovalConfiguration - Environment specific properties for Approvals integration.




Till now we have a project created in JIRA,  required com.vmware.jira.approval.package imported in vRO and a  REST endpoint "Approvals JIRA" created.

To link them together we will need to edit "JiraApprovalConfiguration" configuration element deployed with com.vmware.jira.approval.package.



Configurations→ JiraApprovalConfiguration

  • jiraHost  - REST host for communication with JIRA server
  • jiraProjectKey  - Key of the Pproject in Jira where issues tracking the approvals will be created
  • jiraIssueType   -  Type of the issue tracking the approval. Defaults to "Task".
  • jiraIssueRejectedState -  Jira issue status which corresponds to Rejected state for the request. When Jira issue status changes to this state request will be rejected. Defaults to "Rejected"
  • jiraIssueApprovedState - Configures Jira status which corresponds to Approved  state for the request. When Jira issue status changes to this state request will be rejected. Defaults to "Approved"

If you have used the recommended Jira Project template - "Process Management" and project key "VRO" only required change is to set "jiraHost".


vRA Cloud Subscription

Now we need to make vRA Cloud services aware of our "Wait for approvals" workflow.

To do so login vRA Cloud and create a Extensibility Subscription "Wait for approval".

Make sure to set

  • Event Topic is "Compute Allocate".
  • Runnable item is set to vRO Workflow - "Wait for approval"
  • Blocking is enabled


Last configuration change needed is to set "Request Timeout" for your Project in vRA Cloud.



Request Timeout

If this project team is deploying blueprints that need more than 2 hours to provision, you can specify an extended period before the deployment fails.

If both the blueprint and the project include timeout values, the largest value takes precedence.


And finally we are ready to test our solution...

Request new blueprint deployment. Once it  reaches allocation phase check new JIRA issue should be created  and waiting to get approved...


No need to hurry deployment will stay in allocation phase till JIRA issue is Approved or Rejected...

You can  also check vRO. There should be new run of "Wait for approval" tracking the status of newly created JIRA ...


Now let's check what happens if we approve it.

Open the issue and update it's states to Approved ("Start Progress"→ "Under Review"→"Approved")

In a while "Wait for Approval" run in vRO should be marked as completed and you should see deployment progressing into "CREATE_IN_PROGRESS"



Video capturing the configuration & test steps is also available




Hope it helps!




Will take a brief look at new features added in version 3.0.0 of Active Directory plugin for vRealize Orchestrator.


Here is brief list of newly added features and fixes.

  • Added support for non-persistent LDAP connections.
  • Added generic LDAP client (LdapClient).
  • Added support for SimplePagedResultsControl. It allows the client to iterate through a potentially large set of search results in subsets of a specified

number of entries (i.e., "pages").

  • Added User.getSID() and UserGroup.getSID() scripting methods for retrieving objectSID attribute in following format format 'S-1-IdentifierAuthority-SubAuthority1-SubAuthority2-...-SubAuthorityn'
  • Added getGUID() support for retrieving objectGUID formatted as dashed string
  • Fix: methods discards configured LDAP base
  • Removed sub-domain entries from inventory tree of parent domain. (Deprecated since 2.0)


Let's go trough above list and see what those mean in more details...

Added support for non-persistent LDAP connections

What does that mean?

It means that is no longer needed to add Active Directory server using one of the configuration workflows ('Add an Active Directory server ") in order to invoke operation on it.

Starting with version 3.0 of the plugin you can create connection  toward LDAP server without registering it as inventory item.

Here is brief example how this can be achieved. Below example will create a connection toward given LDAP host and will seach for specific LDAP entey by it's DN.

     var ldapClient = null; 
     try {
        System.log("Initializing ldap client...");
        ldapClient = LdapClientFactory.newLdapClient(host, port, username, password, false);
        System.log("Searching for entry with dn ["+ lookupDn +"]");
        entry = ldapClient.getEntry(lookupDn);
        if (entry != null) {
               System.log("Found entry with dn[" + entry.getDN() + "]");
               attrs = entry.getAttributes();
               for ( i in attrs){
                    System.log(" name :" + attrs[i].getName());
                    System.log(" values :" + attrs[i].getValues());
        } else {
               System.log("Nothing found!!!");
     } finally {
        if (ldapClient != null){

Added generic LDAP client (LdapClient).

What does that mean?

Previous version of the plugin supported connecting to Active Directory LDAP server only. New version of plugin introduces support of generic LDAP client which can be connected to any server supporting LDAP protocol.

Newly added  generic LdapClient is fully functional and support searches and modification of arbitrary LDAP entry. It also supports lookup of specific entry by it's DN.

For more details regarding available functionality you can refer to vRO API explorer under AD plugin you should see number of new scripting objects available starting with LdapXXXX prefix



Added support for SimplePagedResultsControl.

What does that mean?

Newly added LdapClient support also SimplePagedResultsControl. It allows the client to iterate through a potentially large set of search results in subsets of a specified number of entries (pages).

var ldapClient = LdapClientFactory.newLdapClient(host, port, username, password, false);
// Perform a search to retrieve all users in the server, but only retrieving 2 at a time.
var numSearches = 0;
var totalEntriesReturned = 0;
var searchRequest = LdapSearchRequest.createRequest(
  null, //attributes

var resumeCookie = null;
while (true)
  System.log("More results found. Continuing with page " + numSearches)

  // Create SimplePagedResultsControl configured to return at most 2 entries
  // on initiali request resumeCookie must be null
  pagedSearchControl=  new LdapSimplePagedResultsControl(2, resumeCookie,true)
  // Make sure there is no another control registered with same OID
  // add SimplePagedResultsControl to current search control

  // execute search request
  var searchResult = ldapClient.searchBySearchRequest(searchRequest);
  totalEntriesReturned += searchResult.getEntryCount();

  // Traverse trough result set
  entries = searchResult.getSearchEntries()
  for (var e in  entries)
  // Check if htere are more results
  responseControl = LdapSimplePagedResultsControl.get(searchResult);
  if (responseControl.moreResultsToReturn()) {
  // The resume cookie can be included in the simple paged results
  // control included in the next search to get the next page of results.
  resumeCookie = responseControl.getCookieBytes();
  } else {


Added User.getSID() and UserGroup.getSID()


System.log("User " + user.distinguishedName + " objectSID [" + user.getSID() + "]");

Produces following output  :

[2016-07-18 18:00:29.725] [I] User CN=demo user,CN=Users,DC=gia,DC=net objectSID [S-1-5-21-124928778-1889607053-1629036291-4274]


Added getGUID()


System.log("User " + user.distinguishedName + " objectGUID [" + user.getGUID() + "]");

Produces following output  :

[2016-07-18 18:03:29.867] [I] User CN=demo user,CN=Users,DC=gia,DC=net objectGUID [efc97a06-7a3b-47df-b630-7b814e8a1cc6]

Removed sub-domain entries from inventory tree of parent domain. (Deprecated since 2.0)

In Version 1.x of Active Directory there was support for single AD server. To mitigate to same degree this limitation was added  possibility for showing sub-domains inventory tree as part of configured AD server. Version 2.x of the plugin introduced support for multiple AD server and starting with this version recommended approach for handling sub domain is to register them as separate AD server configuration. Showing sub-domain entries as part of parent domain inventory tree was deprecated in favor of creating separate AD server configuration for each domain. in version 3.0 of the plugin sub-domain are no longer shown as items in parent domain inventory tree.