I won't be able to post them before monday. But I'm pretty sure it's not a workflow issue. The workflows and action work all fine in vCO Client and weboperator. Apart from I already checked with the workflows posted by cdecanini and it didn't work. I have all the problems in default web view only. I already created a new web view for testing out of the included template and I have the same problems. Could someone post his default web view (*.zip file) here please? I'd like to check if that's the problem before I reinstall everything.

btw. is it possible to reinstall vCO only when I installed it together with vCenter Server?

Hi!

Here we go:

The default webview-template (usually located in the Installation folder of your vCO-CLIENT) and the "Virtual Machine Manager"- webview from the vco-examples.zip on the documentation homepage (that's the one the tutorial in the vCO-developer guide is referencing to...)

Regards,

Joerg

oh, I missed your question:

You should be able to install/uninstall/reinstall the vCO-server separately from vCenter, even with the default installation.

(Control panel / Software / vCO-entry or the installer-exe file in folder vco in the vCenter-installation.DVD/zip)

Regards,

Joerg

Well, doesn't work with these web views too. There seem's to be a problem calling actions in presentation. Looks like I had to reinstall everything.

2011-03-21 08:26:43.573+0100 DEBUG [WrappedJavaMethod] Calling method : public java.util.List com.vmware.vmo.plugin.vi4.VMwareInfrastructure.getAllVirtualMachines(java.lang.String[],java.lang.String)
2011-03-21 08:26:43.620+0100 ERROR [VimSession] getOrCreateVimObject() --> Unable to get Vim class for 'Folder'
2011-03-21 08:26:43.620+0100 ERROR [VimSession] fetchVimReferencesForType('VirtualMachine') [internal@https://lab-srv002:443/sdk/Main#1d7d327c] --> Unknown exception
java.lang.NullPointerException
at com.vmware.vmo.plugin.vi4.VimSession.fetchVimReferencesForType(VimSession.java:1059)
at com.vmware.vmo.plugin.vi4.VimSession.fetchVimObjectsForType(VimSession.java:1110)
at com.vmware.vmo.plugin.vi4.VimPluginFactory$FindAllThread.run(VimPluginFactory.java:294)

Because tschoergez wan'ts to try to reproduce the error I attached web view which doesn't work for me and the workflow I'm using.

I have good and bad news. I now found a working configuration. Everything works as soon as I specify to use a shared sessions for runnig all workflows. But that's actually the worst possible case for me. I designed all workflows to use a single session per user. My rights management is based on that. Because redesigning all my workflows is the least thing I want to, I know hope anyone here knows a workaround for this.

What permissions have the users you want to run the workflow in vCenter?

Try to give them additional a read-only on the topmost-level (with the propagation enabled).

I think thats mandatory for using the getAllVMs-Action.

As workaround you could change your methodology and create an separate action with some functionality "getAllVMsTheUserHasAccessTo()"...

Regards,

Joerg

The users already have read-only rights on top-level. I have the same problems even when I use a domain administrator account.

The action your mentioned I'm already working on. I have a few problems calling the "retrieveEntityPermissions"-method. I think it should return all the permissons for a given VM, doesn't it? Do you know how to call it correctly? I always get a "not defined" error.

Again, sourcecode is helpful.

But one step back: Do you want to crawl trough every VM and compare its permissions to the current user?

This might not be a very scalable design. Unfortunately, I think there is no way to get all permissions for a specific user (limitation of vCenter API). But maybe there is a way using the searchIndex-object of vCenter-API, according to its documentation it only shows objects the users has permissions to see.

Other alternative (seen from other installations): Keep a separate track, which user is responsible for which VM! Either in a separate database, via custom attributes in vCenter, special folder structure, naming conventions, ....

Regards,

Joerg

Yes, I actually was planning to compare each VMs permissions with the user. I know it's not very scalable but I didn't find another way. I don't know the searchIndex-object of vCenter-API but if it shows the objects the users has permission on, I won't be able to use it. My users have read rights on all objects in vCenter Server. This was necessary for another workflow I have. Do you think the users will notice something when I compare each VMs permissions with the user?

The separate track would also be possible but that means than I always have to edit the permissions in vCenter Server and somewhere else, doesn't it? That's actually not what I want.

My script:

var allVM = System.getModule("com.vmware.library.vc.vm").getAllVMs() ;
var user = Server.getCurrentLdapUser() ;
var ugroup = Server.searchLdapGroups("vCO Users");
var agroup = Server.searchLdapGroups("vCO Administrators");
var umemb = user.isMemberOfGroup(ugroup[0]) ;
var amemb = user.isMemberOfGroup(agroup[0]) ;
var allowedVMs = new Array();
System.log(user.loginName);
System.log("vCO User: "+umemb);
System.log("vCO Administrators: "+amemb);
if(umemb == true || amemb == true)
{
for(var jj=0; jj<allVM.length; jj++)
{
  var perm = VcAuthorizationManager.retrieveEntityPermissions(allVM[jj],true);
  System.log(perm[0].principal);
  for(var ii=0; ii<perm.length; ii++)
  {
   if(perm[ii].principal == user.loginName)
   {
    allowedVMs.push( allVM[jj] );
   }
  }
}
}
return allowedVMs;

Hi!,

first: with an external tracking you have a redundancy: same data (what user has access to what VM) in vCenter and your external system. So youre right, you have to update it twice if something changes.

For your script: If it works I don't see any problems right now. absolutly no problem if it is only used inside workflows, more possible problems if you use it in input presentation (these actions are called more often than the workflows). but its only about scalability, so if you test it sucessful for your environment, just use it (it's more a philosophical question about quick-and-existing vs. more-elegant-but-also-more-effort-to-develop   solutions).

(see also: http://www.google.de/search?q=premature+optimisation+is+the+root+of+all+evil  (and Mr. Knuth knows what he's talking about 🙂 ).

Cheers,

Joerg

I think I'll try to use my script because it's the easiest way. If it's too slow I can still change. The problem is, it doesn't work yet. It always stops at the following line.

var perm = VcAuthorizationManager.retrieveEntityPermissions(allVM[jj],true);

I can't check right know but I think the error messages says something like "retrieveEntityPermissions is not defined" or "wasn't found in VcAuthorizationManager". I think im not using the command correctly. Does anybody know how to call the retrieveEntityPermissions-Method?

Where does your VcAuthorizationManager come from?

I cannot test it right now, but I think you cannot just use/instanciate the Object, but you have to retrieve it from a SDKConnection:

var myAuthMgrRef = SdkConnection.authorizationManager

Be aware that it returns a MoRef, not the object itself, so maybe some other step is necessary.

See also the discussion here:

http://communities.vmware.com/thread/226686

regards,

Joerg

ps: don't mind the bold layout, it was just because of copy&paste 🙂

I know added the line you mentioned to my script. The pound key was a typing error, wasn't it? Now it says "SdkConnection is not defined". How can I define it?

Thanks and reagards!

I had to change a few things on my script but now it works. The problem I now have is than the script shows me all VMs the users have read rights on. So I'll have to add an if-statement which adds the VMs to the array dependig on the role ID. Do you know how to get the role ID of a specific role? Isn't that possible whitout another script? I just clicked around in vSphere Client for about 20 minutes but I can't find anything.

I don't think the roleIDs are shown in the client.

you can use autorizationManager.roleList which returns an array with all roles, or if you have a static role you want to use: Use th ManagedObjectBrowser (MOB) to figure out details.

(http://your.vcenter.server/mob ) => content-Link => authorizationManager

See also:

http://www.vcoportal.de/tools/managed-object-browser/

Regards,

Joerg

Great, it work's. Thank's a lot. You were really helpful.