I'm hoping someone out there has already put together a method to grab all of the deployments for a user based on whether they are owner or shard to them via the project settings. I guess its the same list you'd see in the service broker when you click on the deployments tab. What I really need is the vm list but I can derive that from the deployment list. Hoping this is already in the api and my newb status with it is all that is at play here. Off to read up and try to catch the rest calls in the browser.
I went ahead and created a set of actions that do the following:
1. Grabs a list of all projects
2. Looks first for the user being in the member role of the project either explicitly or as part of one of the groups.
3. If the project shares resources to members pull all deployments. If not pull only the deployments owned by the user.
This seems to work and gives me a list matching what I see when interactively logged into the service broker. Still hoping for an api call that could do this. My skills with the chrome developer console aren't very good so I gave up on trying to capture what might be happening in the browser. Maybe this is a private api of some sort?
I think the GUI uses the same API call, but with the token of the logged in user. That is why the result shows only the deployments the user has permissions to.
You could do the same with the vRA plugin: VraHostManager.createHostForCurrentUser() will create and endpoint with the current user's credentials.
I wanted to use this method to make calls in the name of the currently logged in user but did not work very reliable, sometimes the responses were empty. (The reason might be that I've increased the session timeout within Service Broker, but this has no effect in vRO and the token might not have been valid in vRO anymore Not sure, I have not investigated further this issue.) Now I use a service user within vRA plugin, but this would not give you the result you are looking for.
Funny because in the workflows I've written I use VraHostManager.createHostForCurrentUser() but as you pointed out in most cases this will actually be a service account that can see all or a lot more of the inventory than the user I'm trying to filter the results on. Its either my own service account for automations / integrations our group is enabling or for other customers that tie into vRA where they have a service account that will need fairly broad access. It would be great to be able to specify a list of groups and users to filter on.