AS2E
Contributor
Contributor

Run Workflow as a specific user

Jump to solution

Hi everyone,

My English isn't great, so I'm sorry for any mistakes I'll make.

I have a little problem with the rights management in vCenter Orchestrator. I just set up a new Orchestrator environment. I created a few workflows like for example for shutting down or restarting VMs. My problem is than I don't want every user to be able to manage every VMs. For realizing that, I needed to configure the Orchestrator to use a single session per user. Then I set the permissions on the vCenter Server. That actually works very well.

Know I created another workflow which clones a existent VM. But because the Orchestrator uses a single session per user, the vCO Users don't have sufficient rights to clone a VM. That's because I'd like to run the Cloning-Workflow to run as another User. I already discovered the "Change credentials"-Action, but know the Users don't have enough rights for changing any credentials. I also don't want to give them administrator rights, at least as long as they're able to change Workflows using the Orchestrator Client.

So I tried to restrict the access using the Orchestrator Client. But this also seems to be impossible without denying the web access. Now I'm stuck. Is there any solution for this?

Thanks a lot.

0 Kudos
1 Solution

Accepted Solutions
cdecanini_
VMware Employee
VMware Employee

OK, I have just done the test on my side so I understand better what is going on.

It seems you need the admin right set on the permission of the workflow and each of its parent until the root to change credential. Problem is admin roles give the right to create / edit / delete.

I think this is the same situation you experienced.

A work around would be to use the firewall block the vCO data port for hosts different than the vCO server and maybe your admin workstation.

Maybe another one would be to schedule a workflow from original workflow (to be tested, it may run as system).

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter

View solution in original post

0 Kudos
14 Replies
AS2E
Contributor
Contributor

Because nobody seems to know a solution for this, I now tried to solve this using the Windows Firewall. I assigned Administrator-Rights to the vCO Users and I'd now like to block connections to the server from this group.

As far as I know the command port is the one I have to block. Because we normally don't use the Windows firewall on our servers I allowed connections which don't match a rule. Then I edited the "VMware vCenter Orchestrator - Command" rule which is predefined. I changed the action to "allow connections if it's secure" and in the Users tab I defined to allow only connections from the vCO Administrators group. But the connection still works for everyone. For testing I also tried to block all ports for everyone who's not a member of the vCO Administrators group. But this also didn't change anything. Then I tried to block all connection which don't mach a rule. As a result the connection wasn't possible for anyone.

Could somebody please help me to define a working rule? Thanks a lot.

0 Kudos
cdecanini_
VMware Employee
VMware Employee

If I recall properly the change of credential in a workflow is done by vCO and shoud not require the user to have the right to change credential.

Screen shot 2011-03-08 at 8.55.15 AM.png

Christophe.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
0 Kudos
AS2E
Contributor
Contributor

Even if the configuration is set to use one session per user? My users definitely need to have administrator rights.

0 Kudos
cdecanini_
VMware Employee
VMware Employee

It seems I did not recall this well :smileyconfused:. I may always had the user log in vCO changing credential part of vCO admins.

There are 2 different things:

  • Being part of the vCO Admin groups which seems to be required to change credential on the workflow.
  • The vCenter plug-in configuration with either shared session or session per user.

Please test to add the user starting the workflow as part of vCO admin group and then check that the change credential works and that the operation started in vCenter is being started as the user specified in the change credential box.

Christophe.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
0 Kudos
AS2E
Contributor
Contributor

Yes, as soon as I add the user to the vCO Administrators group it works. I did that as workaround until now.

0 Kudos
cdecanini_
VMware Employee
VMware Employee

As an alternative have you tried to set full permissions on that particular workflow (and parent objects) for a group in which you would add the particular user ?

This may very much not work but just in case it does ...

Christophe.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
0 Kudos
AS2E
Contributor
Contributor

Yes, I tried and it doesn't work. It only works when I add the user to the vCO Administrators group or when I set full permissions on root level in the workflows section. But that's the same like being member of the vCO Administrators group, isn't it?

regards

0 Kudos
cdecanini_
VMware Employee
VMware Employee

This was to test if you need to be part of the vco admin group or just having full permissions on this workflow.

If removing the user from the vCO admins and setting full permissions allowed you to change credential than chance are that you remove the full permissions on root, add full permission on workflow, add view permissions on all parent objects of the workflow.

There is an example on how to do this here: http://mighty-virtualization.blogspot.com/2010/11/vco-rights-management-for-webviews.html

Christophe.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
AS2E
Contributor
Contributor

Well, I tried again and your solution seems to work. The users are no longer able to modify existing workflows which is a lot better than it was before. The only thing else that's bothering me is the ability of the users to create new workflows. Do you also have a solution for this? Would be great, thanks.

0 Kudos
cdecanini_
VMware Employee
VMware Employee

You can now try to lower the rights to only view / execute for the gourp of users you want to access this workflow.

This should not give them the right to create new workflows.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
0 Kudos
AS2E
Contributor
Contributor

I don't think that's gonna work that way. For denying the users to create workflows I have to revoke they're administrator permissions on root level but as soon as I do that, the change credential action won't work anymore.

0 Kudos
cdecanini_
VMware Employee
VMware Employee

When you say revoke, you mean changing their rights from all possible permissions to what permission ?

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
0 Kudos
cdecanini_
VMware Employee
VMware Employee

OK, I have just done the test on my side so I understand better what is going on.

It seems you need the admin right set on the permission of the workflow and each of its parent until the root to change credential. Problem is admin roles give the right to create / edit / delete.

I think this is the same situation you experienced.

A work around would be to use the firewall block the vCO data port for hosts different than the vCO server and maybe your admin workstation.

Maybe another one would be to schedule a workflow from original workflow (to be tested, it may run as system).

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter

View solution in original post

0 Kudos
AS2E
Contributor
Contributor

Yes, that's exactly what I meant. According to your answer it's not possible to set the permissions I'd like to using vCO. I think I'll let it be like it is right now. At least they can't change existing workflows anymore and normally the users won't have installed the vCO Client or even have the permissions to install it. For creating new workflows they would have to log in on an administrator's workstation where the vCO Client is installed. I doubt whether that ever happens. Thanks for your help.

Regards

0 Kudos