VMware Cloud Community
brtlvrs
Enthusiast
Enthusiast
‎03-03-2022 01:22 AM

vRA 8.6 only day 2 operations for certain members ?

Hi,

Is it possible to allow only some day 2 operations for a sub group of members in a project.

They are also not allowed to request catalog Items. 

I'm looking for a way to give snapshot rights to already deployed VMs to application owners
Sadly this is not possible via the custom roles, because a  costom role exists of at least 1 permission.
And the permissions are not project bound

Please consider marking this answer "CORRECT" or "Helpful" if you think your question have been answered correctly.
Labels (3)
Labels
0 Kudos
11 Replies
ArnaudBurk
Contributor
Contributor
‎09-27-2023 01:24 AM

Hi brtlvrs,

have you find a way to do it?
i'm also looking for a method to only allow some day 2 action only to owner of a deployment.
and not all the members of the project to do it.
Because on some project with option "Deployments are shared between all users in the project" enable, everybody see all deployments, but I don't want all the members to be able to delete them for exemple.

thanks

0 Kudos
eduardosuarez
VMware Employee
VMware Employee
‎09-27-2023 06:28 AM

Hi,

HAve you checked if it is possible with Day 2 action policy?
https://docs.vmware.com/en/vRealize-Automation/8.11/Using-and-Managing-Service-Broker/GUID-AB957C4B-...

 

0 Kudos
ArnaudBurk
Contributor
Contributor
‎09-27-2023 07:00 AM

Yes for sure.
I try to do it with Day 2 Actions, but I don't find a way to do it.

With Day 2 actions, I can enable/disable actions for specific roles (administrators, members,..) but I'm not able to enable actions only for the Owners of deployments. Because "owner" is not really a role.

But in my case I want to allow owner of deployments to have a few more actions enable on deployment, that other members on the project.

0 Kudos
eduardosuarez
VMware Employee
VMware Employee
‎09-27-2023 07:32 AM

ok, I will try on my side and get back to you on these days. Otherwise, I can create a feature request for this. 

ArnaudBurk
Contributor
Contributor
‎09-27-2023 07:35 AM

Thanks!! I appreciate 😀👍

0 Kudos
ronaldod
Enthusiast
Enthusiast
‎09-27-2023 12:29 PM

Depending on your needs what about the option in the project definition:

ronaldod_0-1695842944030.png

And deselect this.

Would that work for you ?

Tags (1)
0 Kudos
DanielStastka
Enthusiast
Enthusiast
‎09-28-2023 06:51 AM

I started with vRA 8.4, and a only clean design with Active Directory Groups was successful. With Custom Roles a play a while and have strange effects, no access, no 2-Day Action etc. The same with Roles of vRA, Hard and Soft enforcement. Don't mix that, i was not successful. 

Finally i used only 2 Build-in Roles => Members and Full Administrators.

I designt Project as Teamfolder, that's contains Normal Member, Admin-Members (Both vRA Role "Member") and vAA Full Admins (vAA Role Administrator). 

The Policy have also Mapped with Active Directory, all Normal Member each Teams are assigned to Policy. 

The clue is, you can define Criteria inside Policy, Linux-Admin can only create Snapshots for Linux Machines. You can define Criteria for Catalog Item, or Resources, Tag's or hardcoded Deployment etc. 

What a bit tricky is, Criteria with Dynamic Property on a VM/Ressources (Sample PowerOn/OFF) have a delay. I had a Policy thats only Deployment can be deletet by Poweroff Machines. The Delay was not tracebell and longe that 10 Minutes (vCenter Synch). Only Policy entforcments helps. I think the Policy synch are triggered only by changing Members, but not on changing VM-Properties.

0 Kudos
eduardosuarez
VMware Employee
VMware Employee
‎10-16-2023 07:31 PM

Hello Arnaud,

Checking further I found this suggestions on a previous case.

You can restrict the Policy by having a Deployment Owner criteria in the Policy. In this case, the Deployments that are owned by sean, will have the mentioned Day2 actions for sean.

 

eduardosuarez_1-1697509869829.png

 

0 Kudos
ArnaudBurk
Contributor
Contributor
‎10-16-2023 11:25 PM

Hi @eduardosuarez ,
thanks for your answers.
I've seen this possiblity, but if I do that, it will be ok for Sean, but I have 1000 users, so I don't really want to create 1 approval rule per user 🙂

 

after some test/research, I've found a solution to my problem.
I've create a custom workflow, and a Resource Action for ressources Deployment, based on the workflow.
In the workflow script I check if the requestor of the action delete, is equal of the Deployment Owner. If yes I initiate the Deletion, if not I do nothing (error raise).
So I add this custom Menu button to users, and remove the basic "Delete".

And the magical Appear 🙂
Thanks again for your help guys

Enter123
Enthusiast
Enthusiast
‎10-20-2023 07:48 AM

Hi,

do you know if it is possible to remove "Delete" action for all users when it comes to a VM? Admins, users, owners etc.

I want to allow users only to Delete Deployment, but not have/see Delete option on a VM.

I tried with Day2 Action policy: apply to Role Admins and Members, remove "Cloud.vSphere.Machine.Delete"  from the list of Actions- for Organization/All Projects

Enter123_0-1697813217092.png

 

but no success. What am I missing here?

0 Kudos
ronaldod
Enthusiast
Enthusiast
‎10-20-2023 09:39 AM

I have it working. Only i have one role on an ad group as mixing groups give me sometimes confusing rights.

And i have the roles created in custom roles. I do not use any built-in ones.

0 Kudos