Prerequisites:
1. vCenter Server instance is added in vRO using an administrator user account with full privileges (using the "Share a unique session" option while adding vCenter Server instance) on vCenter Server and full permissions in vRO.
2. The "vmuser" has fewer privileges e.g. the default "Virtual machine user (sample)” role on the vCenter Server and View, Inspect, Execute permissions in vRO.
Scenario:
The “vmuser” executes the vCenter Server workflow “Create simple virtual machine”.
The workflow execution completes successfully creating the specified virtual machine. However, the operations are executed in the context of the service account i.e. the administrator user account with full privileges used for adding the vCenter Server in vRO. Note that the “vmuser” has no permission to create a virtual machine and with execute permission in vRO the restricted user created a virtual machine.
Also observed that the Initiator reported in the Recent Tasks vs. More Tasks in vSphere Web Client are different.
What options are available if I want to execute the vRO workflow/operations in the context of the “vmuser” – the user that initiated the vRO Workflow instead of the service account used for adding the vCenter Server in vRO?
Appreciate your thoughts, suggestions, comments on this.
I think of few options:
1. Plug-in for vRO with Custom Workflows
2. Leverage vRO REST API retrieving vRO user, workflow/operation details and check against the vCenter Server privileges for the vRO user for allowing/disallowing the vRO workflow/operation.