VMware Cloud Community
timgawne
Enthusiast
Enthusiast
‎10-13-2014 11:20 AM

vSphere Web Client/Orchestrator Role Based Access

I'd like to present a granular level of workflows to certain groups via the vSphere Web Client. It seems though that it's all workflows, or nothing.

Does anyone have a solution to restrict Orchestrator workflows presented via the vSphere Web Client? I can grant View/Execute/Inspect permissions to certain groups within Orchestrator, but until those groups are given to same permissions to the entire Orchestrator instance, the workflows do not show up for them in the vSphere Web Client.

Thanks,

Tim

0 Kudos
4 Replies
iiliev
VMware Employee
VMware Employee
‎10-17-2014 10:47 AM

Hi Tim,

Within Orchestrator, you should give the following permission to the groups:

1) 'View' permissions on vCO root object/instance.

2) 'View' + 'Execute' permissions on workflows (or folders containing workflows) that you want to be able to execute in vSphere Web Client.

Within vSphere Web Client, the users/groups should also have granted some roles/permissions, for example, 'virtual machine power user'.

After setting these permissions, only the workflows that you granted 'view'+'execute' permissions to should appear in workflows table within vSphere Web Client.

Recently, I did the above steps in my dev environment. Seems to work properly.

timgawne
Enthusiast
Enthusiast
‎10-23-2014 02:05 PM

Thanks, that works. Only downside is that View + Execute must be granted to nearly every folder, because the user must also have those rights on all child workflows inside of the workflow they run. Would be great it vCO ran those child workflows on behalf of the user.

0 Kudos
iiliev
VMware Employee
VMware Employee
‎10-24-2014 01:40 PM

If you have an 'outer' workflow that calls an 'inner' workflow/action, it should be enough to give execute permissions only on the outer workflow. Note this will work only if the inner workflow is called as 'workflow element' node and not as asynchronous/nested workflows.

Not sure in which vCO version we added this 'propagation' of permissions.

timgawne
Enthusiast
Enthusiast
‎10-27-2014 01:40 PM

That would be great, but doesn't seem to be the case in my environment. For example, I've dropped the 'Run Script in VM Guest' workflow as a regular workflow object into my main 'Do Work' workflow. If I only grant user permissions to the the 'Do Work' workflow, then the workflow eventually fails with the error that the user doesn't have rights to execute the 'Run Script in VM Guest' workflow.

Is there anything special I need to set when dropping the 'Run Script in VM Guest' workflow onto the workflow progression?

Running vCO 5.5.2

Build 1946710

0 Kudos