Hi,
Is it possible to allow only some day 2 operations for a sub group of members in a project.
They are also not allowed to request catalog Items.
I'm looking for a way to give snapshot rights to already deployed VMs to application owners
Sadly this is not possible via the custom roles, because a costom role exists of at least 1 permission.
And the permissions are not project bound
Hi brtlvrs,
have you find a way to do it?
i'm also looking for a method to only allow some day 2 action only to owner of a deployment.
and not all the members of the project to do it.
Because on some project with option "Deployments are shared between all users in the project" enable, everybody see all deployments, but I don't want all the members to be able to delete them for exemple.
thanks
Hi,
HAve you checked if it is possible with Day 2 action policy?
https://docs.vmware.com/en/vRealize-Automation/8.11/Using-and-Managing-Service-Broker/GUID-AB957C4B-...
Yes for sure.
I try to do it with Day 2 Actions, but I don't find a way to do it.
With Day 2 actions, I can enable/disable actions for specific roles (administrators, members,..) but I'm not able to enable actions only for the Owners of deployments. Because "owner" is not really a role.
But in my case I want to allow owner of deployments to have a few more actions enable on deployment, that other members on the project.
ok, I will try on my side and get back to you on these days. Otherwise, I can create a feature request for this.
Thanks!! I appreciate 😀👍
Depending on your needs what about the option in the project definition:
And deselect this.
Would that work for you ?
I started with vRA 8.4, and a only clean design with Active Directory Groups was successful. With Custom Roles a play a while and have strange effects, no access, no 2-Day Action etc. The same with Roles of vRA, Hard and Soft enforcement. Don't mix that, i was not successful.
Finally i used only 2 Build-in Roles => Members and Full Administrators.
I designt Project as Teamfolder, that's contains Normal Member, Admin-Members (Both vRA Role "Member") and vAA Full Admins (vAA Role Administrator).
The Policy have also Mapped with Active Directory, all Normal Member each Teams are assigned to Policy.
The clue is, you can define Criteria inside Policy, Linux-Admin can only create Snapshots for Linux Machines. You can define Criteria for Catalog Item, or Resources, Tag's or hardcoded Deployment etc.
What a bit tricky is, Criteria with Dynamic Property on a VM/Ressources (Sample PowerOn/OFF) have a delay. I had a Policy thats only Deployment can be deletet by Poweroff Machines. The Delay was not tracebell and longe that 10 Minutes (vCenter Synch). Only Policy entforcments helps. I think the Policy synch are triggered only by changing Members, but not on changing VM-Properties.
Hello Arnaud,
Checking further I found this suggestions on a previous case.
You can restrict the Policy by having a Deployment Owner criteria in the Policy. In this case, the Deployments that are owned by sean, will have the mentioned Day2 actions for sean.
Hi @eduardosuarez ,
thanks for your answers.
I've seen this possiblity, but if I do that, it will be ok for Sean, but I have 1000 users, so I don't really want to create 1 approval rule per user 🙂
after some test/research, I've found a solution to my problem.
I've create a custom workflow, and a Resource Action for ressources Deployment, based on the workflow.
In the workflow script I check if the requestor of the action delete, is equal of the Deployment Owner. If yes I initiate the Deletion, if not I do nothing (error raise).
So I add this custom Menu button to users, and remove the basic "Delete".
And the magical Appear 🙂
Thanks again for your help guys
Hi,
do you know if it is possible to remove "Delete" action for all users when it comes to a VM? Admins, users, owners etc.
I want to allow users only to Delete Deployment, but not have/see Delete option on a VM.
I tried with Day2 Action policy: apply to Role Admins and Members, remove "Cloud.vSphere.Machine.Delete" from the list of Actions- for Organization/All Projects
but no success. What am I missing here?
I have it working. Only i have one role on an ad group as mixing groups give me sometimes confusing rights.
And i have the roles created in custom roles. I do not use any built-in ones.