VMware Cloud Community
VMGenie02
Enthusiast
Enthusiast
Jump to solution

Access\Rights Management

Hi guys,

I have vCenter Ochestrator 4.0.1 installed and working except... I am only able to login if the user is a member of the "VMO Admins" group.  If I using a non admin account I get a "access not allowed" message.  I have tried authorizations and permission for the on various object..no luck

The only way I get users to login is if I add them to the VMO Admins group

Please help

Reply
0 Kudos
1 Solution

Accepted Solutions
Burke-
VMware Employee
VMware Employee
Jump to solution

Setting the View/Execute permissions for an LDAP group of your choosing on the root element in the workflows is what grants a non-vco admin the ability to login to webviews and the vco client. If you have indeed done this and you are not able to login with a member of the group, the only thing I can suggest is restarting the vCenter Orchestrator Server service.

Please post a screenshot showing your root workflow element selected in the vCO client, and in the right pane showing the permissions tab and its contents.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

View solution in original post

Reply
0 Kudos
13 Replies
Burke-
VMware Employee
VMware Employee
Jump to solution

Please see the "Setting Permissions" section of the following post: http://www.vcoteam.info/learn-vco/create-a-simple-vco-self-service-vm-provisioning-portal-part-3.htm...

Those instructions will allow you to specify another group with the ability to login and execute workflows, but not edit/delete them Smiley Happy This is especially helpful if you are restricting access to the workflows by only allowing HTTP/HTTPS access via webviews.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
Reply
0 Kudos
VMGenie02
Enthusiast
Enthusiast
Jump to solution

Hi Burke,

I have read that article and am able to set that up.  The problem is that when I do the actual login using the non-admin account is does not work, all I get is "access not allowed".  I sent yourself and Christophe a reply on the thread requesting that you show me how the "lcmuser" is logged in and what AD\LDAP group memberships are required.

Thanks

Reply
0 Kudos
Burke-
VMware Employee
VMware Employee
Jump to solution

Setting the View/Execute permissions for an LDAP group of your choosing on the root element in the workflows is what grants a non-vco admin the ability to login to webviews and the vco client. If you have indeed done this and you are not able to login with a member of the group, the only thing I can suggest is restarting the vCenter Orchestrator Server service.

Please post a screenshot showing your root workflow element selected in the vCO client, and in the right pane showing the permissions tab and its contents.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
Reply
0 Kudos
VMGenie02
Enthusiast
Enthusiast
Jump to solution

Hi Christiaan,

I already read that 1 too... what I don't like about that one is it uses a very long "workaround" especially when dealing with a huge tree structure.  What am also not sure about is if the user is a member of the VMO Admins or not.

Reply
0 Kudos
Burke-
VMware Employee
VMware Employee
Jump to solution

Screenshot?

P.S. - MightyCare = excellent blog!! :smileygrin:

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
Reply
0 Kudos
VMGenie02
Enthusiast
Enthusiast
Jump to solution

Keep this in mind, the same user that I get a "Access not allowed" on.  If I just add them to "VMO Admin" group on AD then it works fine...ofcourse the exception is that I would have following your link to hide the folders he must not have access to which will be a nightmare.

So, I need to find a way of granting access to a non-admin user on the required node.

Reply
0 Kudos
VMGenie02
Enthusiast
Enthusiast
Jump to solution

Here are screenshots

Reply
0 Kudos
VMGenie02
Enthusiast
Enthusiast
Jump to solution

Not even doing this

Reply
0 Kudos
Burke-
VMware Employee
VMware Employee
Jump to solution

This is odd - from what I see, it appears as though the permissions are set properly on your "testuser" account... have you restarted the service?

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
Reply
0 Kudos
Andreas_Diemer
Enthusiast
Enthusiast
Jump to solution

Hi,

using webview it is NOT possible to grant access only to a workflow or subfolder. The user must have minimum view rights all path down from root level to the desired object / workflow. This must be done also for actions called in this or nested workflows from this workflow.

We have the same problem on many customer sites in publishing workflow to special users/groups. You must enable view on root for log in and drill down the rights as mentioned.

Using permission with groups sometimes causes problems by AD on vCO 4.0., especially when using nested groups

Please try adding a user, not a group to check this.

Regards, Andreas

------ for correct and / or useful answers please award points visit http://www.vcoteam.info & http://mighty-virtualization.blogspot.com
VMGenie02
Enthusiast
Enthusiast
Jump to solution

Hi Andreas,

After the many troubleshooting and trying of this and that... I came to the same conclusion too.  I think that the whole architecture on permissions and authorizations needs to either be redesigned or explained more properly from VMware officially.

Unfortunately, you can only grant access by group and not direct users. (Or at least that is the only way I could manage to do it)

The guide from Chrstiaan a.k.a MightCjo blog may be the only way at this stage.

PS: Maybe some of these are fixed in version 4.1!!!:smileygrin:

Until next time thanks guys for all the help and your time.

Reply
0 Kudos
VMGenie02
Enthusiast
Enthusiast
Jump to solution

Hi Burke,

Eventually what i did was I removed all permissions, restarted the entire VCO solution (application and database servers).  Then re-applied the permissions starting with root node first.

Thank you

Reply
0 Kudos