VMware Cloud Community
rstoker13
VMware Employee
VMware Employee
‎11-07-2017 06:22 AM
Jump to solution

Redirection of SNOW users for vRA authentication

vRA 7.3 - Simple Deployment

SNOW Jakarta - vRA/SNOW plugin 3.0

We are attempting to restrict the redirection of users to ONLY 100-200 of our 66,000+ potential users. The vra_user role appears to accomplish this for the vast majority. However, we have a fairly large number of users that hold the 'admin' role. It appears that ALL users holding the admin role are redirected as well. As few as 5 of the 60+ admin users will actually administer the vRA components and should be redirected to vRA.

Is there a way to prevent the redirection for non-vRA Admins?

Reply
0 Kudos
1 Solution

Accepted Solutions
rstoker13
VMware Employee
VMware Employee
‎11-14-2017 08:24 AM
Jump to solution

This question evolved into 2 individual questions.

1.     How do you allow only selected users to redirect?

     A:     The 'vra_user' role accomplishes this. Our ServiceNow engineer was able to identify the 'Login Rule' responsible for the redirect(VRA_VIDM) and all seemed well. Until we realized that it was also redirecting ALL users that held the 'admin' role. Our organization has a large number of users that hold the admin role and a very small subset would truly need to administer vRA and be redirected.  Leading us to our second question...

2.     How do you redirect ONLY users that hold the 'vra_user' role and not all admin users as well.

     A:     Our ServiceNow engineer above modified the 'Login Rule' to look for the explicitly defined 'vra_user' role. This means that in order for anyone, even admins to be redirected, they must hold this role. This has been working well for us. We are waiting for official support notification but the VMware team is aware of our problem and solution.

See below for the details.

Current VRA_VIDM :

VRA_VIDM();
function VRA_VIDM() {
     if(hasExactRole('vra_user')){
           var param = "/vra_redirect_to_external.do";
           gs.setRedirect(param);
     }
     function hasExactRole(role){
          var rol = new GlideRecord('sys_user_role');
          rol.addQuery('name', role);
          rol.query();
          if (rol.next()) {
               var hasRole = new GlideRecord('sys_user_has_role');
               hasRole.addQuery('user', gs.getUserID());
               hasRole.addQuery('role', rol.sys_id);
               hasRole.query();
               if (hasRole.next()) {
                    return true;
               } else {
                    return false;
               }
          }
          return false;
     }

Original VRA_VIDM :

VRA_VIDM();
function VRA_VIDM() {
     if(gs.getUser().hasRole('vra_user')){
          var param = "/vra_redirect_to_external.do";
          gs.setRedirect(param);  
     }
}

View solution in original post

Reply
0 Kudos
3 Replies
rstoker13
VMware Employee
VMware Employee
‎11-14-2017 08:24 AM
Jump to solution

This question evolved into 2 individual questions.

1.     How do you allow only selected users to redirect?

     A:     The 'vra_user' role accomplishes this. Our ServiceNow engineer was able to identify the 'Login Rule' responsible for the redirect(VRA_VIDM) and all seemed well. Until we realized that it was also redirecting ALL users that held the 'admin' role. Our organization has a large number of users that hold the admin role and a very small subset would truly need to administer vRA and be redirected.  Leading us to our second question...

2.     How do you redirect ONLY users that hold the 'vra_user' role and not all admin users as well.

     A:     Our ServiceNow engineer above modified the 'Login Rule' to look for the explicitly defined 'vra_user' role. This means that in order for anyone, even admins to be redirected, they must hold this role. This has been working well for us. We are waiting for official support notification but the VMware team is aware of our problem and solution.

See below for the details.

Current VRA_VIDM :

VRA_VIDM();
function VRA_VIDM() {
     if(hasExactRole('vra_user')){
           var param = "/vra_redirect_to_external.do";
           gs.setRedirect(param);
     }
     function hasExactRole(role){
          var rol = new GlideRecord('sys_user_role');
          rol.addQuery('name', role);
          rol.query();
          if (rol.next()) {
               var hasRole = new GlideRecord('sys_user_has_role');
               hasRole.addQuery('user', gs.getUserID());
               hasRole.addQuery('role', rol.sys_id);
               hasRole.query();
               if (hasRole.next()) {
                    return true;
               } else {
                    return false;
               }
          }
          return false;
     }

Original VRA_VIDM :

VRA_VIDM();
function VRA_VIDM() {
     if(gs.getUser().hasRole('vra_user')){
          var param = "/vra_redirect_to_external.do";
          gs.setRedirect(param);  
     }
}
Reply
0 Kudos
kmenze
Contributor
Contributor
‎03-02-2018 01:17 PM
Jump to solution

We are having the same issue of our ServiceNow admins are all getting prompted for VRA login despite not being in the vra_user role.  We tried updating the VRA_VIDM login rule as you showed, but, our admins are still being prompted for VRA login as they log into ServiceNow.

I noticed the original question specified their ServiceNow instance was Jakarta.  We are running with the Istanbul version.  Do you happen to have an updated version of this VRA_VIDM login rule for Istanbul?  Or, should we be expecting this modification to work for Istanbul as well?

Thank you.

Reply
0 Kudos
CalsoftTechie
Enthusiast
Enthusiast
‎03-07-2018 01:22 AM
Jump to solution

This code should work.

Logout of ServiceNow instance and try clearing cache.

Reply
0 Kudos