VMware Cloud Community
MattG
Expert
Expert
‎10-21-2014 02:25 PM

Can I create VMs "on behalf" of BG users from a central Admin account?

I am setting up vCACwith multiple Business Groups.  However,  while the Business Group users will be able touse the VMs,  they will not be able torequestor provisionthem.

I want tobe able torequestthe VMs ontheir behalffrom my admin login.  Is this possible?  When I login as my admin account the only accounts that showin the OnBehlaf of field are others Admins,  not the users that are in the BG users.  I have added the BG Users group tothe BG Support and Users role.

-MattG

-MattG If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
6 Replies
stvkpln
Virtuoso
Virtuoso
‎10-21-2014 05:27 PM

Unfortunately, no... The way "on behalf of" works is that you're performing the request as / for that person.. using their entitlements, not yours. The only way I can imagine you'd be able to do this if you had a field for the User ID of the person you want to be the system owner in the IaaS form, and sort out how to update the system owner during, for example, the BuildingMachine or MachineProvisioned state workflows via vCO or some such... And before you ask, I don't know offhand how one would go about adjusting that... I just know it's something you want to do before the VM gets registered from IaaS on the CAFE side...

-Steve
0 Kudos
VirExprt
Expert
Expert
‎10-22-2014 06:33 AM

If you are Tenant Admin and have control on all BGs or BG admin, you should be able to request VMs on their behalf. There are two ways to do it,

1- navigate to the Catalog tab and you should see 'On Behalf of' on right hand corner, where you can type in the required username and once resolved, select it and request from catalog.

2- Request VM from catalog and while filling request form, replace owner with name of intended requester.

Make sure that the requester, for which you are requesting VM, should exist in BG(s).

Br,

MG

Regards, MG
0 Kudos
stvkpln
Virtuoso
Virtuoso
‎10-22-2014 07:51 AM

I hadn't thought about #2; that might work, but I'm 100% certain #1 won't, though. Requesting "on behalf of" will bring up the catalog based on a user's entitlements... From what I read, the behavior should be that a regular user does not see any catalog items, but an admin does. The big caveat with #2, as you said, is that the blueprint must be requested from the correct business group, or things will get weird -- if it works at all.

-Steve
0 Kudos
vcecas
Contributor
Contributor
‎10-22-2014 10:01 PM

You can also request the VM as the admin account and them change the owner to the user that wants the VM after the VM is provisioned. Then the user does not need to be entitled the the requested catalog item.

0 Kudos
VirExprt
Expert
Expert
‎10-23-2014 11:58 AM

I am not sure where this is written but i am doing it practically on regular basis and i am pretty sure both methods are correct. You should also give it try and see the magic happening..

One thing to be noted here that, we are not talking about the regular user at all, user in question is either BG admin or have 'Support User' Role assigned.

Br,

MG

Regards, MG
0 Kudos
stvkpln
Virtuoso
Virtuoso
‎10-23-2014 03:53 PM

Written or not, I've never seen the ability to use the "On behalf of" capability if the user the request is being provisioned on behalf of is not entitled. It may work just fine through the IaaS form to change the user, but that specific method (on behalf of) looks at the user's entitlements to determine what catalog items to present. My understanding of the op's request was to be able to provision without the users having any catalog items available to them directly.... That means no catalog (services / blueprints) being entitled to them directly, but they could have day 2 actions entitled.

-Steve
0 Kudos