I'm in the process on evaluating vRA 8.x as a replacement for vRA 7.6 in the future. What I want to do now, is to apply a similar logic for approvals that I use in 7.6 to my org and projects in 8.3. The whole role concept seems a bit confusing though.
First of all - when I assign roles to users within a project, I would assume that this would give them the right to log in to vRA, but additionally they need one of the service role rights (cloud assembly user or service broker user), just to not get a 403 when logging in. Now when a project administrator would like to assign new members to his project, how would that be regulated? A project admin cannot assign service role in the org. Should ALL potential vRA Users, that is, all user accountes that are synced from the directory, be initially given a service broker user or cloud assembly role?
What I also noticed is, that even though a user account has the service broker user role and project admin role assigned, the Infrastructure/Projects tagb is not visible. I have assigned the roles as per documentation, did I miss something?:
There is one more use case that seemingly cannot be migrated from vRA 7 is allowing some of the project role members to give approvals for creating deployments etc. just withing their project. Here's how I did this in vRA 7: users and managers can request resources. When a service is requested, the approval is assigned to users, which have the "support" role assigned in the business group, like this:
This way only one approval policy can be created, be assigned to services where needed and also approvals are automatically assigned to specific users, within the business group.
I wanted to build something similar in vRA 8.3, but cannot finde the specific role combination:
- I have created a custom role named "Approver", assigned the "manage approvals" privilege and a user account to it, but since custom roles are created at an org level, all users that have this role assigned, and anyone could manage approvals for all projects. That is missing the point.
- Custom roles cannot be added to the project level, wich means I cannot assign the "mange approvals" privilege to a project member. This makes no sense. The same applies to approval policies - it woudl be great if I could apply a custom role to the policy.
- Also no groups, only users, can be assigned for an approval policy - what is the point in that?
The only way for my plan to work would be:
- Create Project, add users to Admin & Member roles.
- Additionally assign the Service Broker or Cloud Assembly User role to this users.
- This would still not allow the Project admins to administer users within their projects - how can this be achieved?
- Create an approval policy for each project and assign user accounts only to this approval.
This would be far more troublesome that creating the same construct in vRA 7. Or am I missing something here?
Since editing of the original post is not possible, here's a correction on the service roles:
- Additionally assign the Service Broker or Cloud Assembly User role to this users. - This would still not allow the Project admins to administer users within their projects - how can this be achieved?
Both the Cloud Assembly User AND Service Broker User roles have to be assigned from managing projects to work as intended. Only assigning Cloud Assembly role results in an error when clickig on the projects button. Only assigning the Service Broker User results in not having access to the Infrastructure Tab. I guess the documentation has to be edited.
I've also tested the access with a user account that has only the Organisation Member role. You can log in, but do not see any services, which is expected, but still, what owuld be the point?
What could be used as a default setting? A possibility would be to assign all of the synced user accounts and groups the Org Member role + the Cloud Assembly and Service Broker User roles. However, this seems to be setting to many privileges, even though, realistically, a user with those roles, but no project assignment, would have no access to any resources. Another problem with this solution would be to actually assign those role to "all" synced users - currently I have no idea how to do that.
For a clean setup, there should be a way to automatically assign the needed org roles to new project members. Either this should be a built-in feature or an event topic covering this change should be created, to allow automatic the role assignment process.
Edit: Another possible sulotuion would be to aalow custom roles to be assigned to projects, example: I'd create a custom role "Approver" with only the "Manage Approvals" privilege and assign a group of users to a project with this role. Also the creation of a global approval policy, where approvals would be assigned to this custom role, should be created. This way every request, that meets the approval policy criteria, would be assigned to the correct members of the "Approver" group within a project.