Configure Permissions for vRealize Orchestrator with AD

vRealize Orchestrator allows you to configure permissions for users in your authentication domain to access your vRO deployment with different types of access. While you might want administrators to access your workflows from the vSphere Web Client sometimes there will still be users that need access with the vRO client. One example is a group of developers that you only want to allow access to one or just a few folders in your vRO environment.

To assign permission to users I expect that most customers will want to use Active Directory user accounts for this purpose. Therefor I first explain how your Platform Services Controller can be integrated with an AD Domain. But first let's have a look at the Authentication Provder information in the vRealize Orchestrator Control Center. (Accessible at https://your-vro-server:8283/vco-controlcenter)

In the image below you can see that my vRO server uses my platform services controller (psc01.vmwarebits.local) with the default vSphere.local domain. But because I have integrated the PSC with AD it is also possible to use users from AD to authenticate to vRO.

vRealize Orchestrator authentication vSphere

Adding the Platform Services Container to AD

Log in to the vSphere Web Client with an administrative account and navigate to  Home - Administration - System Configuration. From here you can access the configuration of your PSC-node(s). If you have an external PSC it will be a separate node. If you have an embedded deployment with PSC and vCenter in one appliance then it would be only one node. On the PSC node under the manage tab you find the option to add the Platform Service Controller to your AD Domain.

Adding Platform Services Controller to Active Directory Domain

After configuring this you must restart the PSC appliance. (Restart the VM or navigate to the appliance management interface on port 5480 (https://your-psc:5480).

Next access the Single Sign On configuration to add your Active Directory Domain as an Identity Source. Because you have integrated the PSC with the domain you can choose to use the Integrated with Windows option, which is simpler than the LDAP-option.

Add AD Domain as Identity Source to PSC

Adding Permissions to vRealize Orchestrator

Now that the integration with AD has been taken care you can add permissions for Active Directory groups to the vRO configuration. 

Warning vRO only allows the configuration of permissions for groups, not for individual users.

It is important to first configure at least view-permissions at the top-level of your vRO inventory. To do that right-click the top-most object and select Edit Access rights.

Add permissions to vRO

The edit dialog let's you search for AD groups to add those for the permissions View, Inspect, Execute, Edit and Admin. (These permissions are explained in the vRealize Orchestrator Documentation.)

Adding group permissions to vRO

With these basic permissions set users that belong to the AD group you have specified can login to vRO and execute workflows. In my examle I have configured View, Inspect and Execute rights, but you can also configure just View-permissions and then only allow Execute-rights or Edit-rights on a lower level.

In the screnshot below you see an example of a developers-group that has Edit-access on just one folder in the inventory.

developer permissions


vRealize Orchestrator Articles on this website

Follow us on LinkedIn




Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer