VMware Cloud Community
stevenbright1
Enthusiast
Enthusiast
‎08-10-2010 09:44 AM

Orchestrator Login Rights and Permissions

Is it possible to allow users who are not part of the Orchestrator Admin group to login to Orchestrator? If so, how do you set this up?

My goal is to provide certain users the ability to log in and run workflows, but only specific workflows that have been assigned to them. I would prefer for them to not see any of the other workflows, actions, etc.

Thanks!

8 Replies
IamTHEvilONE
Immortal
Immortal
‎08-10-2010 10:38 AM

To enable access to the Weboperator Web View as a non-administrative Orchestrator user:

Step 1

=======

Login to the Orchestrator Client and set user permissions:

You set levels of permission to limit the access that users or user groups can have to that workflow.

You select the users and user groups for which to set permissions from the users and user groups in the Orchestrator LDAP server.

1) Click the "Permissions" tab.

2) Click the "Add access rights" link to define permissions for a new user or user group.

3) Search for a user or user group.

The search results show all of the users and user groups from the Orchestrator LDAP server that match the search.

4) Select a user or user group and click "OK".

5) Right-click the user and select "Add access rights".

6) Check the appropriate check boxes to set the level of permissions for this user and click "OK".

To allow a user to view the workflow, inspect the schema and scripting, run and edit the workflow, and change the permissions, you must check all check boxes.

7) Click "Save and Close" to exit the editor.

Step 2

========

Enable Access to Workflows from Web Service Clients:

1) Navigate to the following folder on the Orchestrator server system.

If you installed Orchestrator with the vCenter Server installer:

\install_directory\VMware\Infrastructure\Orchestrator\app-server\server\vmo\conf

If you installed the standalone version of Orchestrator

\install_directory\VMware\Orchestrator\app-server\server\vmo\conf

2) Open the "vmo.properties" configuration file in a text editor.

3) Add the following line to the vmo.properties configuration file:

com.vmware.o11n.web-service-disabled=false

4) Save the "vmo.properties" file.

5) Restart the Orchestrator Server service.



Regards,

Jonathan

B.Sc., RHCT, VMware vExpert 2009

NOTE: If your problem or questions has been resolved, please mark this thread as answered and award points accordingly.

0 Kudos
IamTHEvilONE
Immortal
Immortal
‎08-10-2010 10:38 AM

Also, see:

Orchestrator security overview

http://kb.vmware.com/kb/1011305



Regards,

Jonathan

B.Sc., RHCT, VMware vExpert 2009

NOTE: If your problem or questions has been resolved, please mark this thread as answered and award points accordingly.

stevenbright1
Enthusiast
Enthusiast
‎08-10-2010 10:59 AM

I guess I'm missing something. I knew how to assign access rights to the workflows etc., but what I can't figure out is how to allow non-admin users the ability to log in and run the workflows. Logging in with any account other than an Orchestrator Admin tells me that the user isn't authorized.

0 Kudos
Andreas_Diemer
Enthusiast
Enthusiast
‎08-12-2010 11:29 PM

Hi Steven,

i've tested the following and it works fine:

- adding rights to workflow tree at root (youraccount@vco.domain) only view. Without view rights on root user can not log in. Now he see everything.

- build a subtree containing the workflow(s) you want to expose to user / group, add execute & view on this folder. Now there is a parent right (view) and a folder right (execute & view) on this folder

- for all other first level folder beyond root add only execute right for user / group. Now there is a parent right (view) and a folder right (execute), this will overwrite the view (subtrees are not visible) but executable (if your WF calls an WF in this subtree)

- don't forget the action tree at root (execute)

- don't forget user (group) must have rights in vcenter to run the appropriate tasks

regards, Andreas

------ for correct and / or useful answers please award points visit http://www.vcoteam.info & http://mighty-virtualization.blogspot.com
stevenbright1
Enthusiast
Enthusiast
‎08-13-2010 05:57 AM

Andreas,

That worked except for one part. The root of the "Actions" tree is the same as the root of the "Workflows" tree which is the "My Name @ username@domain.com". It will not allow me to assign execute rights for one section and not the other as it is the same entity.

Additionally, whenever I try to run one of the workflows that requires that the user browse the vCenter server to select a VM, I receive "plugin error" even though the user/group has Administrator rights on the vCenter.

0 Kudos
acavali
Contributor
Contributor
‎09-24-2010 09:23 AM

I am running Orchestrator 4.1 and am not running into that issue. I'd recommend that you try and upgrade and see if that fixes it.

0 Kudos
Matt_B1
Enthusiast
Enthusiast
‎04-23-2013 11:54 AM

Does this still apply to Orchestrator v5.1?  I am looking to allow non-Admins access to a web view I created for a custom request portal?  I can successfully allow them access through the Java Orchestrator client but want to direct them through the custom webview.

0 Kudos
Burke-
VMware Employee
VMware Employee
‎05-14-2013 08:45 AM

The best way to accomplish this is to allow the users to launch the desired workflow(s) via a web-interface and disable vCO Client access to non-administrators.. otherwise, you face a number of challenges that you are describing already.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you!

Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator
for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter