VMware Cloud Community
jamesreinke2
Enthusiast
Enthusiast

Stop Users seeing all VMs

I am trying to make the "Rename Virtual Machine" workflow available but hit one major snag. When a user runs the workflow they are able to everything in vCenter. Is there anyway to prevent that from happening. If it helps the VMs are in folders as you can see in the picture within vCenter. This may be a basic question but im still quite new to Orchestrator.

Reply
0 Kudos
6 Replies
iiliev
VMware Employee
VMware Employee

For tree choosers, vRO supports so called root objects. To use it, you should open the workflow for edit, go to 'Presentation' tab, select the input field whose tree you want to control, and add the property 'Specify a root object to be shown ...'. The value of this property could be either an attribute (in your case, of type VC:VmFolder) or and action returning a single value of type VC:VmFolder; you should compute the value to be the root node folder of the subtree you want your users to see (eg. you should set the folder ESCC if you want your users to see only the folder ESCC and its subfolders).

In practice, this approach has a few limitations; the most important is that it won't work in every client you use to start the workflow. It will work, if you launch the workflow from vRO Java client, but won't work if you launch the workflow from vSphere Web client integration plug-in.

Reply
0 Kudos
jamesreinke2
Enthusiast
Enthusiast

Ilian,

Is this what is supposed to look like? I assume I'm missing the linked parameter but not sure where or what.

James

Reply
0 Kudos
iiliev
VMware Employee
VMware Employee

Well, yes and no Smiley Happy

The property you set is the correct one. But you are trying to use the action getVirtualMachineByFolder(), which won't work. This action takes as an input parameter a VC:VmFolder object and returns an array with virtual machines in this folder. To specify the root element, you need an action that returns VC:VmFolder which will be the root folder element (and may, or may have not, input parameters).

The linked parameter in your case is the input VC:VmFolder parameter for action getVirtualMachineByFolder()

Reply
0 Kudos
jamesreinke2
Enthusiast
Enthusiast

Getting there I think. Somehow the linked parameter got lost unless this is all wrong.Please see capture

Reply
0 Kudos
iiliev
VMware Employee
VMware Employee

This is all wrong.

As I said in my previous post, for specifying the root element you need an action that returns object of type VC:VmFolder. The action you are using currently - getVirtualMachineByFolder(), returns an object of type Array/VC:VirtualMachine.

VC:VmFolder is not the same thing as Array/VC:VirtualMachine, so this action won't work.

Reply
0 Kudos
rszymczak
Hot Shot
Hot Shot

What Ilian said is correct. Altought another way to limit the scope of what a user sees would be to simply register your vCenter with the per-user-session method. When using that authentication method your users should only see the VMs they see in vCenter and will only be able to perform the actions they're permitted in vCenter, because their SSO token is used to authenticate against vCenter. E.g. running "rename virtual machine" would only run successfully of the user starting the workflow has the permission to do that in vCenter anyway.

However: this might not be what you want. You might want to have users perform actions in a certain way using workflows which they're normaly not allowed in vCenter. In that case: what Ilian said would be the most simple aproach.

Reply
0 Kudos