3 Replies Latest reply on Mar 7, 2018 1:22 AM by Manish Patil

    Redirection of SNOW users for vRA authentication

    rstoker13 Enthusiast
    VMware Employees

      vRA 7.3 - Simple Deployment

      SNOW Jakarta - vRA/SNOW plugin 3.0

       

      We are attempting to restrict the redirection of users to ONLY 100-200 of our 66,000+ potential users. The vra_user role appears to accomplish this for the vast majority. However, we have a fairly large number of users that hold the 'admin' role. It appears that ALL users holding the admin role are redirected as well. As few as 5 of the 60+ admin users will actually administer the vRA components and should be redirected to vRA.

       

      Is there a way to prevent the redirection for non-vRA Admins?

        • 1. Re: Redirection of SNOW users for vRA authentication
          rstoker13 Enthusiast
          VMware Employees

          This question evolved into 2 individual questions.

          1.     How do you allow only selected users to redirect?

               A:     The 'vra_user' role accomplishes this. Our ServiceNow engineer was able to identify the 'Login Rule' responsible for the redirect(VRA_VIDM) and all seemed well. Until we realized that it was also redirecting ALL users that held the 'admin' role. Our organization has a large number of users that hold the admin role and a very small subset would truly need to administer vRA and be redirected.  Leading us to our second question...

          2.     How do you redirect ONLY users that hold the 'vra_user' role and not all admin users as well.

               A:     Our ServiceNow engineer above modified the 'Login Rule' to look for the explicitly defined 'vra_user' role. This means that in order for anyone, even admins to be redirected, they must hold this role. This has been working well for us. We are waiting for official support notification but the VMware team is aware of our problem and solution.

           

          See below for the details.

           

          Current VRA_VIDM :

          VRA_VIDM();
          function VRA_VIDM() {
               if(hasExactRole('vra_user')){
                     var param = "/vra_redirect_to_external.do";
                     gs.setRedirect(param);
               }
          
               function hasExactRole(role){
          
                    var rol = new GlideRecord('sys_user_role');
                    rol.addQuery('name', role);
                    rol.query();
                    if (rol.next()) {
                         var hasRole = new GlideRecord('sys_user_has_role');
                         hasRole.addQuery('user', gs.getUserID());
                         hasRole.addQuery('role', rol.sys_id);
                         hasRole.query();
          
                         if (hasRole.next()) {
                              return true;
                         } else {
                              return false;
                         }
                    }
                    return false;
               }
          

           

          Original VRA_VIDM :

          VRA_VIDM();
          function VRA_VIDM() {
          
               if(gs.getUser().hasRole('vra_user')){
                    var param = "/vra_redirect_to_external.do";
                    gs.setRedirect(param);  
               }
          
          }
          
          • 2. Re: Redirection of SNOW users for vRA authentication
            kmenze Novice

            We are having the same issue of our ServiceNow admins are all getting prompted for VRA login despite not being in the vra_user role.  We tried updating the VRA_VIDM login rule as you showed, but, our admins are still being prompted for VRA login as they log into ServiceNow.

             

            I noticed the original question specified their ServiceNow instance was Jakarta.  We are running with the Istanbul version.  Do you happen to have an updated version of this VRA_VIDM login rule for Istanbul?  Or, should we be expecting this modification to work for Istanbul as well?

             

            Thank you.

            • 3. Re: Redirection of SNOW users for vRA authentication
              Manish Patil Enthusiast

              This code should work.

              Logout of ServiceNow instance and try clearing cache.