VMware Cloud Community
timrab
Contributor
Contributor

API query AdminVM returns ACCESS_TO_RESOURCE_IS_FORBIDDEN (403)

Hi Experts,

In a use case running vCloud 9.1 (API v30.0) where we need to obtain all VM information for all vCloud Organisations, we need to query the AdminVM using GET requests such as:

  • /api/query?type=adminVM


as this will be executed by an external workflow process at set intervals, we are required to use a user with a limited set off permissions. Therefore we've tried to create some sort of "Read only Admin" on the "System" organization, having only read rights to all objects (using this as a guideline Predefined Roles and Their Rights 😞

  • Name          : Provider vDC Storage Policy: View
  • Name          : Catalog: View ACL
  • Name          : UI Plugins: View
  • Name          : Organization vDC Gateway: View Load Balancer
  • Name          : vCenter: View
  • Name          : General: View Error Details
  • Name          : Organization vDC Gateway: View Static Routing
  • Name          : Custom entity: View custom entity definitions
  • Name          : Organization VDC: view metrics
  • Name          : Organization vDC Gateway: View NAT
  • Name          : Organization vDC Gateway: View IPSec VPN
  • Name          : Additional Services: View Running Workflows
  • Name          : Organization vDC Gateway: View Firewall
  • Name          : Organization vDC Gateway: View L2 VPN
  • Name          : Organization vDC: View
  • Name          : Network Pool: View
  • Name          : Cell Configuration: View
  • Name          : Organization vDC: Extended View
  • Name          : Access All Organization VDCs
  • Name          : Organization vDC Gateway: View
  • Name          : Host: View
  • Name          : Datastore: View
  • Name          : Custom entity: View custom entity instance
  • Name          : Organization vDC Distributed Firewall: View Rules
  • Name          : Service Library: View service libraries
  • Name          : Catalog: View Published Catalogs
  • Name          : Catalog: Shadow VM View
  • Name          : Organization vDC: View ACL
  • Name          : Custom entity: View all custom entity instances in org
  • Name          : Right: View
  • Name          : vApp: View VM metrics
  • Name          : Organization vDC Resource Pool: View
  • Name          : vApp: View ACL
  • Name          : VCD Extension: View
  • Name          : Organization vDC Gateway: View BGP Routing
  • Name          : vApp: Shadow VM View
  • Name          : Organization vDC Gateway: View SSL VPN
  • Name          : vApp: VM Check Compliance
  • Name          : Additional Services: View Workflows
  • Name          : Organization vDC Network: View Properties
  • Name          : Resource Pool: View
  • Name          : Organization: View
  • Name          : Organization: view metrics
  • Name          : Disk: View Properties
  • Name          : vApp Template / Media: View
  • Name          : General: Administrator View
  • Name          : Hybrid Cloud Operations: View to-the-cloud tunnel
  • Name          : Organization Network: View
  • Name          : Catalog: View Private and Shared Catalogs
  • Name          : Provider vDC: View
  • Name          : Organization vDC Gateway: View OSPF Routing
  • Name          : Provider vDC Resource Pool: View
  • Name          : Site: View
  • Name          : Organization vDC Gateway: View DHCP
  • Name          : Hybrid Cloud Operations: View from-the-cloud tunnel
  • Name          : Group / User: View
  • Name          : License Report: View
  • Name          : VDC Template: View
  • Name          : Provider Network: View
  • Name          : Organization vDC Gateway: View Remote Access


Unfortunetaly, we have been unable to create a user / role that has the required permissions, as we are always getting this result:

  • This operation is denied." minorErrorCode="ACCESS_TO_RESOURCE_IS_FORBIDDEN"


The only clue we've found is in this thread on github (Full list of required rights · Issue #139 · vmware/container-service-extension · GitHub ) where it mentions you need the following right:

  • Organization: Perform Administrator Queries

However, in the vCloud GUI this permission is nowhere to be found. Is this some sort of hidden permission, or only introduced in a more recent release of vCloud, or...?

Please advise, we're breaking our heads on this one.

Cheers,

Tim

Reply
0 Kudos
2 Replies
timrab
Contributor
Contributor

No one here with an answer? I'm offering free drinks here in Amsterdam in exchange 😄

Reply
0 Kudos
ItrisTF
Contributor
Contributor

Hey Tim,

did you have a look at the Rights bundle attached to the specific tenant(s) you are trying to approach?

In that rights bundle you may find not all ACLs are highlighted (and therefor not selectable per role or per user)

and the drinks part sounds tempting Smiley Wink

Reply
0 Kudos