VMware Cloud Community
qc4vmware
Virtuoso
Virtuoso

vRA 8.5 limit catalog item deployment to service account but enable 2nd day actions for members?

I am trying to recreate functionality from vRA 7 in vRA 8 and I'm hoping I'm missing something simple.  What I want to do is deploy to a set of projects via a service account and I want the members of the project to have access to day 2 activities but not able to deploy the catalog items.  This was done easily with the entitlements in vRA 7 but I'm struggling to find a combination of roles + service broker policies that yields the same functionality.  Has anyone been able to do this? Am I missing something simple?

Reply
0 Kudos
7 Replies
RobertPr
Contributor
Contributor

Hi,

I have a solution with a little workaround:

  • Create a Custom Role - e.g. with the name "onlyDay2Actions"
  • Give it a Pseudo-Permission, I took the "View Onboarding Plans" because its obsolete in my environment
  • Create a Day2Action Policy and Scope it to your Projects, and select the Role, you've created first. E.g. "onlyDay2Actions"

This should work for the Day2Actions scoped by project. If you want it over all Project, you can set the Permission in the Custom Role "Manage Deployments"

Hope this help you to define your Policy!

br, Robert

qc4vmware
Virtuoso
Virtuoso

I tried following your solution but maybe I've missed something.  The standard member users can still deploy new resources to the project.  I only want one supervisor/service account user to be able to deploy.  Giving the "Manage Deployments" over all projects is too broad I need it targeted just to the projects a user is a participant in.  Can you think of something I might have missed?

Reply
0 Kudos
xian_
Expert
Expert

Try to remove the user's service roles and assign only Service Broker Viewer, plus a custom role created with "Manage Deployments" permission.

Reply
0 Kudos
qc4vmware
Virtuoso
Virtuoso

That almost worked when I tried it a few days ago but "Manage Deployments" seems to enable managing all deployments for the entire organization and I only want that capability for the projects they are members of.  So either I missed something or maybe there is a bug in how that permission is applied in vRA?

Reply
0 Kudos
qc4vmware
Virtuoso
Virtuoso

I was also thinking maybe to set this up so the blueprints are not shared through the service broker and the service account does all deployments via cloud assembly?  Then when the customer logs into the service broker they'd have nothing in the catalog for those projects where we are fully automating the deployments via the service account but would still be able to manage what they are enabled via project membership and their day 2 policy.  Does that sound like a reasonable approach?

Reply
0 Kudos
RobertPr
Contributor
Contributor

Oh sorry, it seems to be required to be at least a Project Member for Day2Actions, I think there was a thing I missed.

Yes, this will be a workaround, if there is a REST Call for this action. Another Workaround can be an approval-policy with the criteria "Requested By" not equal to "svc-user":

RobertPr_0-1634617721406.png

It's not pretty too, but it seems to be a way.

br, Robert

qc4vmware
Virtuoso
Virtuoso

I'll have to play with the approvals a bit but I think that would result in a bunch of approvals that need to be denied.  I didn't see any way to auto approve or deny.  I asked about that in another message.  If I try to catch the user I'll probably use the extensibility to trap it and fail it but hopefully I can come up with some other way.  If there was just a policy item to uncheck the deployment option that would be nice.  Hopefully the cloud assembly api will have what I need.

Reply
0 Kudos