Hello,
there is something I do not understand very well
permissions on VCO
I have decided to give rights to domain users on the root folder of vco to allow them to see vco on vCenter
and on each folder I create for teams I give no rights to domain users and view,inspect,execute rights to the team
this work well throw vcenter even if one of the workflows use an other workflow stored in a folder where the user does not have rights
this is to prevent the users to see the workflows of other teams and the library workflows
but this does not work in orchestrator itself
can someone help me to figure out how vco works exactly with permissions?
Hi,
Permission model is quite simple:
What do you mean by "this does not work in orchestrator itself"?
if the user connects to orchestrator throw the java client I need to give him read rights on the library for him to start a workflow using workflows in the library
if the user start the same workflow throw the vcenter web client he does not need this right
my concern is to allow each user to see only the workflows he is allowed to start directly not the ones (his workflows start)
hope I am clear
vRO Java client uses an internal API to connect to vRO server, and it requires View permission on the root level in order to login. To start a workflow, you need Execute permission.
vSphere Web client uses a different, REST-based API to communicate with vRO server. In this case, you don't need to grant View permission on the root level, but you still need Execute permission to start a workflow.