A particular user with the roles "Organisation member", "Project member", "Service Broker User" fails to successfully deploy a catalog item.
In Step-6 (Machine Provisioning) the user gets the error: "Create Failed: IllegalAccessError: forbidden"
When i add the role "Service broker viewer" to this user, he is able to deploy the catalog item successful.
But this makes no sense to me. With the role "Service broker viewer", the user gets to many menu items in his console.
This is the case with local (System) users and with users from AD.
Any ideas for a solution or suggestions for troubleshooting?
Message was edited by: sven.knockaert
So I just did exactly what you detailed with the creation of a new user but the deployment finished successfully. I added the next roles to the user:
With those roles everything worked as expected. I am using vRA 8.1 Patch 2 in my platform, maybe it is an issue related with the version.
However in case not, is that user member of multiple projects? All the components of the blueprint are entitled to use within that project?
If you can give us a little more detail maybe we can figure it out.
We also have vRA 8.1 Patch 2 (188.8.131.5283 (16633378))
This problem occurs with every user that has only the "Service Broker User" role.
From the moment I add the role "Service Broker Viewer", those users are able to successfully request and deploy a template.
I doesn't make a difference if this user is only a member of one project or multiple projects.
If the user can deploy with the extra "Service Broker viewer" role, I would assume that all the components are entitled to use within that project?
This is a really annoying problem, as I have to give my users too many roles (SB user and viewer) with the result that they have too many menu items and information available.
To be honest with you this seems weird as I did exactly that but without adding the "Service Broker Viewer" role.
How are you doing the entitle of the permissions, to groups or individual users?
To groups or individuals doesn't make any difference.
This is what I get with only the "Service Broker User" role:
when I look at the events log: (Error: java.lang.IllegalAccessError: forbidden)
Unfortunately could not find anything related to your error.
Does this happen to you with all the Blueprints? What if you create a new simple Blueprint with just a VM and one network and nothing else?
With the suggestions you gave me, I found the cause, but not the solution...
We use the "ImageRef" property for the use of Linked Clones =>
With the normal usage of the "Image" property, all users with only the "service broker user" role can request and deploy a template successfully.
Question is now: How can we let normal users deploy a template that uses linked clones?
Here I am guessing that the issue could be related about the user you are using to connect to vCenter Server, maybe it has lack of permissions and cannot clone from a Snapshot.
However this is not related at all with the "Service Broker Viewer" issue you were facing and I still think that is completely weird. However is it possible that you are using a user with not so many permissions in vSphere?
UPDATE: I tested exactly same scenario as you and it failed with the same error that you are facing so tomorrow I will keep doing some troubleshooting to see if I can find something
I'm glad to hear that you can reproduce this problem...
The Cloud Account for vSphere (vCenter) is using our main account (Administrator@vsphere.local) for the moment.
So this account should have all the permissions.
I couldn't anything related with the error we both faced.
I tried multiple combinations, change of credentials, creations of new users, combination of permissions, change of template, deploying in more than one vCenter, etc and no luck. I got into the logs but they do not point to nothing specific but to some Java error related.
At this point i would recommend you to follow the issue with VMware because as we discussed previously there is a big chance that this issues is nothing more that bug related and if that is the case then we will need to wait for the next update or patch, whatever comes first.
Sorry I couldn´t find the solution :smileyconfused: