VMware Cloud Community
FTVDaniel
Contributor
Contributor
‎04-03-2017 07:30 AM

how permissions work in orchestrator

Hello,

there is something I do not understand very well

permissions on VCO

I have decided to give rights to domain users on the root folder of vco to allow them to see vco on vCenter

and on each folder I create for teams I give no rights to domain users and view,inspect,execute rights to the team

this work well throw vcenter even if one of the workflows use an other workflow stored in a folder where the user does not have rights

this is to prevent the users to see the workflows of other teams and the library workflows

but this does not work in orchestrator itself

can someone help me to figure out how vco works exactly with permissions?

0 Kudos
3 Replies
iiliev
VMware Employee
VMware Employee
‎04-03-2017 12:30 PM

Hi,

Permission model is quite simple:

  • When some permissions are granted on some object for some group, they are implicitly propagated to its children down the inventory hierarchy.
  • When querying for a specific permission on some object, first it is check if the permission is granted on the object itself for any group the user is member of; if it is not granted directly, the object's parents are checked recursively (up until the root object).

What do you mean by "this does not work in orchestrator itself"?

0 Kudos
FTVDaniel
Contributor
Contributor
‎04-04-2017 02:13 AM

if the user connects to orchestrator throw the java client I need to give him read rights on the library for him to start a workflow using workflows in the library

if the user start the same workflow throw the vcenter web client he does not need this right

my concern is to allow each user to see only the workflows he is allowed to start directly not the ones (his workflows start)

hope I am clear

0 Kudos
iiliev
VMware Employee
VMware Employee
‎04-04-2017 08:39 AM

vRO Java client uses an internal API to connect to vRO server, and it requires View permission on the root level in order to login. To start a workflow, you need Execute permission.

vSphere Web client uses a different, REST-based API to communicate with vRO server. In this case, you don't need to grant View permission on the root level, but you still need Execute permission to start a workflow.

0 Kudos