VMware Cloud Community
CloudInfraTeam
Enthusiast
Enthusiast
‎02-23-2016 06:36 AM

VCO permissions problem

Hey,

In our environment there is multiple VCO servers all of them are VCO 5.5.3.

In our organization we have team that suppose to support our cloud environment and one of the things they should do is to check workflow runs that fail and to see in live the workflow run log.

In the past they have permissions on the workflows that they need to watch, the permissions they had in the past are: read, inspect, execute. at that situation they could see workflow runs and give the support to the cloud users.

In one of our vco version upgrades this support team lost the possibility to track workflow runs, now only admin permission allow them to see the workflow runs.

:smileyconfused:

i found this vmware kb: VMware KB: Non-admin users cannot see workflow tokens in VMware vRealize Orchestrator but the KB is not for our vco version.

want to ask you if someone know if that kb is relevant also to VCO 5.5.3 or any other workaround.

Thanks ahead,

Liron br

Reply
4 Replies
iiliev
VMware Employee
VMware Employee
‎02-23-2016 10:46 AM

Hi,

This KB is not applicable to 5.5.3 for 2 reasons:

  • its text says You should only apply this patch to vRealize Orchestrator (formerly known as vCenter Orchestrator) 5.1.1
  • Binary files compiled against a given vRO version are generally not compatible with different vRO version

Could you check if they can see workflow executions via REST API? Just open one of the following URLs in a browser and, when asked for credentials, login as some user from this group.

https://vcohost:8281/vco/api/catalog/System/WorkflowExecution

https://vcohost:8281/vco/api/workflows/{workfolw-id}/executions

If possible, could you check what happens if you remove the existing permissions and re-assign them back?

Are the users from this group able to see their own executions, or they don't see any executions including the ones they started themselves?

Reply
0 Kudos
rkrichevskiy
Enthusiast
Enthusiast
‎02-23-2016 01:38 PM

I have confirmed the same behavior as noted by OP on a 5.5.3 instance.Regular users no longer can see other users tokens from workflow tokens tab. They see their own execution tokens only and events from all users.

Definitely a change from 5.1.2 as regular user is able to see other user tokens in that version. Browser test against API confirms the same result as well. Re-applying permissions via a client doesn't seem to help. Even adding admin permission via a client doesn't allow regular user to see other users token state for older or current session executions. I have opened a case with support and will update if they have any further suggestions.

Update: according to vmware support this is expected in the newer versions of application and was labeled as security related feature.

We too have users that rely on the client for monitoring and although this approach was already somewhat limited it still provided value. I am thinking that at this point the only way is to use workflow events.

Reply
iiliev
VMware Employee
VMware Employee
‎02-24-2016 08:44 AM

OK, it is the expected behavior for non-admin users to see their own execution tokens only and not other users' execution tokens. It was changed to behave this way at some point due to security concerns.

Unfortunately, the current permission system is not flexible enough so you cannot give permissions to non-admin users to see all execution tokens.

Reply
CloudInfraTeam
Enthusiast
Enthusiast
‎03-02-2016 05:57 AM

hey,

thanks for your answers.

i should think about workaround for this issue. if one of you figure out workaround for this issue please share with me.

thanks.

Reply
0 Kudos