VMware Cloud Community
Czernobog
Expert
Expert
‎08-05-2022 01:31 AM

vRA 8.x - return project membership of a user (by username)

I try to accomplish the following task - based on the input including a username I want to know, of which projects the user is a member of.
AD user accounts can be members of any of multiple domains configured as directories in vRA 8; it is possible for a user to have an account in multiple domains, in this case the username across domains would be the same, but the domain part in the UPN would be different.
Ideally it would look like this: the function takes the username (UPN: user@domail.local) as input and outputs a list of projects, where the user has a role assigned.
So far I tried following approaches, without success:

1. dump all projects using /iaas/api/projects and search for the user account; return all projects where the account is a member of
this has a drawback:
- the user account is listed without the domain, for example, the user myuser@localdom.org would be listed as:
{
"email": "myuser",
"type": "user"
}
so there is no way to tell which domain this username is a member of and a user cannot be searched for by the domain attribute.

2. use the search query /csp/gateway/am/api/orgs/{{orgId}}/users?userSearchTerm=
this too has some drawbacks:
- you can only use one search term, so it is not possible to search for the user and domain; domain is not accespted as a search term anyway
- the query does not request an exact match, so if a username I search for is a part of another username, both would be returned
- the query returns only organizations roles anyway, not project membership

Is this task doable at all?

1 Reply
Czernobog
Expert
Expert
‎08-09-2022 10:25 AM

I wanted to add that, there seems to be no straightforward (or just any) way to properly identify a user who is making requests in vRA; as a result, when someone wants to check which domain user requested a catalog item, the user requesting the item cannot be identified in the following scenario:

multliple domains are configured as directories in vIDM. Some users have identical usernames between domains. One of those users requests an item from the catalog. Based on the payload passed to vRO or an ABX action (or just deployment inputs), or after provisioning, the "Owner" column in the Resources tab, it is not possible to deduct which domain the user is a member of, since only the username is displayed and the UPN, or even a userId/idpId is nowhere to be found!

The same goes for querying the deployment API with the deployment id or request id - both queries only return the username in the "ownedBy","createdBy","latUpdateBy" fields. As mentioned before, using the search APIs is worthless, since you can also only search for the username - and the search returns all matches containing the username.

I don't understand why this was made so complicated - why isn't the user principal name just passed along with the deployment input or just generally with the request infos in an event subscription payload?