EHC: vRealize Orchestrator user could not view the workflow token even though the "view" permission was assigned to the user account
Summary: A user is required to review each instance running and status of every workflow. As per security compliance requirement, it is only required that the user account be assigned the view or inspect permission. After user logged in to vRealize orchestrator client with this account, it was found that they could not view the workflow tokens (workflow running log of each instance at specific time). Admin account could view the workflows. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
A user required to review each instance running and status of every workflow. As per security compliance requirement, it is only required that the user account be assigned the view or inspect permission.
After user logged in vRealize orchestrator client with this account, it was found that they could not view the workflow tokens (workflow running log of each instance at specific time).
Admin account could view the workflows.
Configuration uses the vRO log in account with Integrated Active directory.
After user logged in vRealize orchestrator client with this account, it was found that they could not view the workflow tokens (workflow running log of each instance at specific time).
Admin account could view the workflows.
Configuration uses the vRO log in account with Integrated Active directory.
Cause
This is working as designed. When using an Active Directory account, the user account should have full permission including admin, edit, view, inspect, and execute permission to view the workflow tokens or logs.
Tokens are locked behind administrator users by design. Logs for workflow failure are tokens which by design requires administrator access. View permission is the most basic tokens which would allow to view only the workflows. Permissions for being able to view logs would include the details of why the workflow failed which would include sensitive information like credentials, IP address, DNS, or DHCP names, hence is blocked by design. The View permissions allow the user to view the elements in the workflow but cannot view any schema or scripting.
Tokens are locked behind administrator users by design. Logs for workflow failure are tokens which by design requires administrator access. View permission is the most basic tokens which would allow to view only the workflows. Permissions for being able to view logs would include the details of why the workflow failed which would include sensitive information like credentials, IP address, DNS, or DHCP names, hence is blocked by design. The View permissions allow the user to view the elements in the workflow but cannot view any schema or scripting.
Resolution
Set up the AD user account with full vRO client permission to review the workflow tokens or logs from the current feature perspective.
Any other requirements should be requested as an enhancement.
https://kb.vmware.com/s/article/1002123?lang=en_us
https://www.vmware.com/company/contact/contactus-prod-request.html
Any other requirements should be requested as an enhancement.
https://kb.vmware.com/s/article/1002123?lang=en_us
https://www.vmware.com/company/contact/contactus-prod-request.html
Products
vRealize Orchestrator (vRO) Platforms, vRealize Orchestrator (vRO) PlatformsArticle Properties
Article Number: 000184041
Article Type: Solution
Last Modified: 19 Aug 2021
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.