VMware Cloud Community
mschubi
Enthusiast
Enthusiast
‎10-13-2016 07:15 AM

Orchestrator integration into vCenter Web Client - Permissions for WFs

Hello,

i've integrated my Orchestrator 6.0.4 in the vCenter Web Client.

  • we configured orchestrator with a AD Group "ADMGroup" as vRO Admin group
  • same group is also configured as admins for vCenter
  • the group has AD user as members, lets call "A", "B" and "C"
  • the vCenter Plugin is configured with credentials of user "A"

My problem:

  • user "A" see all configured context actions in Web Client
  • user "B" and "C" see empty "all vCenter Orchestrator plugin Actions"

I can't find the reason why "B" and "C" are unable to use the WFs. 😞

best regards Mike

0 Kudos
5 Replies
iiliev
VMware Employee
VMware Employee
‎10-13-2016 10:51 AM

Hi Mike,

A couple of questions:

1) By 'configured with credentials of user "A"' do you mean the plug-in is configured in 'shared session' mode using A's credentials? Any reason not to configure it in 'per user session' mode?

2) Which actions are visible to A and not visible to B and C - some custom actions defined by you, or also all pre-configured actions that come by default for some VC object types?

Also, please check for any clues/errors in vRO's and Web Client's logs.

0 Kudos
mschubi
Enthusiast
Enthusiast
‎10-13-2016 11:12 AM

Hello Ilian,

1) You are right, the Plugin is configured with "shared session" - reason for that is using WFs by users without full rights...

2) User "B" and "C" can't see any WF in Web Client. (no predefined, no own WFs)

User B and C can login to Orchestrator Java Client without any problems and can use the WFs...

How works the context actions in WebClient? Decides the Web Client wich WFs to display or the vRO?

best regards,

Mike

0 Kudos
iiliev
VMware Employee
VMware Employee
‎10-13-2016 11:44 AM

Context actions are maintained entirely within Web Client. vRO server is not aware of it.

Web Client and Java client use different mechanisms to communicate with vRO server. Java Client uses internal RMI API, and Web Client uses public REST API.

Could you check whether user B (or C) can access the workflows, supposed to be shown as context actions, over REST API? Here are the steps:

1) Choose a workflow to check and figure out its ID. Just go to Java client, select the workflow in workflow inventory tree, and check ID property shown on General tab.

2) Launch a REST browser and open an URL https://{vrohost}:8281/vco/api/workflows/{workflowid} or https://{vrohost}:8281/vco/api/catalog/System/Workflow/{workflowid}  (replacing {vrohost} and {workflowid} with your vRO hostname/IP address and workflow ID)

3) The browser should ask for username/credentials; provide those of user B or C

0 Kudos
mschubi
Enthusiast
Enthusiast
‎10-14-2016 12:49 AM

Hello Ilian,

Over REST API it is possible to access the WFs.

User B can i.e. access the permissins of WF.

<permissions xmlns="http://www.vmware.com/vco">

<permission href="https://**************:8281/vco/api/workflows/528fb795-6d2b-4ec1-8d30-30cec707f41b/permissions/0db98...">

<principal>*******.de\*******-VCenter-ADM</principal>

<rights>rxica</rights>

</permission>

</permissions>

By the way - vCenter is 5.5.0 (Build 3252642)

Thanks for your patience,

Mike

0 Kudos
mschubi
Enthusiast
Enthusiast
‎10-24-2016 07:54 AM

Hello folks,

some other ideas?

best regards,

Mike

0 Kudos