VMware Cloud Community
TheVMinator
Expert
Expert
‎04-16-2015 09:54 AM
Jump to solution

Orchestrator workflow permissions

I am using "share a unique session" because I want scheduled workflows to be able to run independently of a particular employee's AD account still being active.  As a result the service account I am using for "Share a unique session" has full rights in vCenter.

However I don't want every vRO user to have the ability to create workflows with the permissions of that service account which can do anything.  Apart from going to each workflow and assigning rights to all the users to indicate which workflows they can and can't run, is there an easier way to set up permissions in vRO and allow different levels of rights to run workflows based on different AD groups?

0 Kudos
1 Solution

Accepted Solutions
SeanKohler
Expert
Expert
‎04-16-2015 02:17 PM
Jump to solution

Well, I hope this is useful to you then...

Assuming all your users are not administrators...

You can create element folders and grant permissions to who can view/use the Element/Attributes you create in the folder.  (it is none except for administrators by default I believe)

elements1.jpg

elements2.jpg

When you as an administrator (or a user with permissions) creates a workflow, these element attributes can be bound to the workflow.  The workflow can live in a folder with permissions as well.  (again for non-administrators)

elements3.jpg

elements4.jpg

elements5.jpg

elements6.jpg

If you are giving all your users admin logins... you cannot leverage builtin permissions as a method for controlling what is done in vRO.  We add several other groups of people via AD groups into vRO.  When they log in, they can only see and work within the folders that we granted permissions to.  They cannot run our privileged workflows because they cannot see them and do not have permission to them.  They cannot use *our* Admin Elements because they cannot see them and do not have permission to them.  They only see their folders and the default Library.  We make copies of all protected workflows and move them to a protected area for the things we (the administrators) work on.

View solution in original post

0 Kudos
5 Replies
SeanKohler
Expert
Expert
‎04-16-2015 10:42 AM
Jump to solution

Not sure if this is exactly what you are looking for... but how about putting the serviceaccount and securestring password in an Element and then using vRO permissions to hide that element from everybody but you (or your group of admins)?  Then you can use that account to bind to workflow parameters, but other vRO users wouldn't have access to the account.

As far as determining what people can and cannot run in vRO, you can set permissions at the folder level.  Organize your workflows by what people can and cannot run... set permissions accordingly?

TheVMinator
Expert
Expert
‎04-16-2015 11:50 AM
Jump to solution

SeanKohler wrote:

Not sure if this is exactly what you are looking for... but how about putting the serviceaccount and securestring password in an Element and then using vRO permissions to hide that element from everybody but you (or your group of admins)?  Then you can use that account to bind to workflow parameters, but other vRO users wouldn't have access to the account.

That sounds like a great idea - never done this before though so not familiar with the idea of a securetring password and how to create an element that I can hide based on permissions...

0 Kudos
SeanKohler
Expert
Expert
‎04-16-2015 02:17 PM
Jump to solution

Well, I hope this is useful to you then...

Assuming all your users are not administrators...

You can create element folders and grant permissions to who can view/use the Element/Attributes you create in the folder.  (it is none except for administrators by default I believe)

elements1.jpg

elements2.jpg

When you as an administrator (or a user with permissions) creates a workflow, these element attributes can be bound to the workflow.  The workflow can live in a folder with permissions as well.  (again for non-administrators)

elements3.jpg

elements4.jpg

elements5.jpg

elements6.jpg

If you are giving all your users admin logins... you cannot leverage builtin permissions as a method for controlling what is done in vRO.  We add several other groups of people via AD groups into vRO.  When they log in, they can only see and work within the folders that we granted permissions to.  They cannot run our privileged workflows because they cannot see them and do not have permission to them.  They cannot use *our* Admin Elements because they cannot see them and do not have permission to them.  They only see their folders and the default Library.  We make copies of all protected workflows and move them to a protected area for the things we (the administrators) work on.

0 Kudos
TheVMinator
Expert
Expert
‎04-27-2015 01:27 PM
Jump to solution

This is great - thanks!

0 Kudos