VMware Cloud Community
markb01
Contributor
Contributor

VMWare Orchestrator 7.2

Hi,

Our environment consists of two vRA appliances with Orchestrator, development and production.   We do all our development work in our dev vRO and use Codestream to migrate it across to our production vRO when it is ready and tested.

We require full read/write access in Dev, however would like to restrict our Production instance to read only for all users to allow them to view workflows and all workflow runs for troubleshooting, but no ability to make changes to any workflows.

I have configured a user with rights to "view, inspect and execute", however this doesn't provide the level of of permissions required - we are able to view workflows, but can not see any previous runs / history.

Is there something I am missing here, or does vRO not support this functionality?

Cheers,

Mark

Reply
0 Kudos
4 Replies
iiliev
VMware Employee
VMware Employee

Hi Mark (and welcome to the community),

When you say the user is not able to see any previous runs/history, what exactly is not visible and where? Previous runs in the inventory tree, in the log panel, runs by other users, runs happened some time ago with vRO client closed and reopened since then?

BTW, you may consider another way to ensure that your workflows are not editable on the prod machine. On the dev machine, you can put the workflows you work on in a vRO package and then export the package to folder as set of XML files, which you can put under source control system like Git. Then, when you want to deploy them in prod, you can assemble the package binary and 'seal' its content (the workflows) which will make them effectively un-editable, and then import the result package binary file into prod vRO. That's the approach used by most vRO plug-ins to distribute their content.

Reply
0 Kudos
markb01
Contributor
Contributor

Hi Llian,

Thanks!

When in VMWare Orchestrator, we can see the workflows etc, but if we expand the workflow to look at all the previous runs - nothing appears - I suspect there isn't a level of permission to grant this, but posted just in case.

Cheers,

Mark

Reply
0 Kudos
iiliev
VMware Employee
VMware Employee

Yes, you cannot grant permissions to individual workflow executions. The usual behavior is something like:

* the non-admin users should be able to see their own workflow executions (the executions they started)

* the admin users should be able to see other users' executions

There is also some periodical purging of the old workflow executions.

To troubleshoot it further, could you check if you can see the fresh executions? Just run some workflow and check if you can see this particular execution in the inventory tree immediately after the execution completes. Also, check if you can see the same execution if you close vRO client and reopen it again.

Another thing to check is what executions for a given workflow are returned by vRO REST API (these API are not used by vRO client). Just make a GET request to https://{vrohost}:{port}/vco/api/workflows/{workflowid}/executions/ and check the result body.

Reply
0 Kudos
markb01
Contributor
Contributor

Hi,

Thanks - you have confirmed that my question isn't possible - non-admin (ie read only) users can't see other users workflows.  The behavior we are seeing appears to be expected, but just thought I would post in case there was a level of permissions that did allow a read-only/non admin user to see all workflow runs.

Cheers,

Mark

Reply
0 Kudos