Hi Experts,
In a use case running vCloud 9.1 (API v30.0) where we need to obtain all VM information for all vCloud Organisations, we need to query the AdminVM using GET requests such as:
- /api/query?type=adminVM
as this will be executed by an external workflow process at set intervals, we are required to use a user with a limited set off permissions. Therefore we've tried to create some sort of "Read only Admin" on the "System" organization, having only read rights to all objects (using this as a guideline Predefined Roles and Their Rights ):
- Name : Provider vDC Storage Policy: View
- Name : Catalog: View ACL
- Name : UI Plugins: View
- Name : Organization vDC Gateway: View Load Balancer
- Name : vCenter: View
- Name : General: View Error Details
- Name : Organization vDC Gateway: View Static Routing
- Name : Custom entity: View custom entity definitions
- Name : Organization VDC: view metrics
- Name : Organization vDC Gateway: View NAT
- Name : Organization vDC Gateway: View IPSec VPN
- Name : Additional Services: View Running Workflows
- Name : Organization vDC Gateway: View Firewall
- Name : Organization vDC Gateway: View L2 VPN
- Name : Organization vDC: View
- Name : Network Pool: View
- Name : Cell Configuration: View
- Name : Organization vDC: Extended View
- Name : Access All Organization VDCs
- Name : Organization vDC Gateway: View
- Name : Host: View
- Name : Datastore: View
- Name : Custom entity: View custom entity instance
- Name : Organization vDC Distributed Firewall: View Rules
- Name : Service Library: View service libraries
- Name : Catalog: View Published Catalogs
- Name : Catalog: Shadow VM View
- Name : Organization vDC: View ACL
- Name : Custom entity: View all custom entity instances in org
- Name : Right: View
- Name : vApp: View VM metrics
- Name : Organization vDC Resource Pool: View
- Name : vApp: View ACL
- Name : VCD Extension: View
- Name : Organization vDC Gateway: View BGP Routing
- Name : vApp: Shadow VM View
- Name : Organization vDC Gateway: View SSL VPN
- Name : vApp: VM Check Compliance
- Name : Additional Services: View Workflows
- Name : Organization vDC Network: View Properties
- Name : Resource Pool: View
- Name : Organization: View
- Name : Organization: view metrics
- Name : Disk: View Properties
- Name : vApp Template / Media: View
- Name : General: Administrator View
- Name : Hybrid Cloud Operations: View to-the-cloud tunnel
- Name : Organization Network: View
- Name : Catalog: View Private and Shared Catalogs
- Name : Provider vDC: View
- Name : Organization vDC Gateway: View OSPF Routing
- Name : Provider vDC Resource Pool: View
- Name : Site: View
- Name : Organization vDC Gateway: View DHCP
- Name : Hybrid Cloud Operations: View from-the-cloud tunnel
- Name : Group / User: View
- Name : License Report: View
- Name : VDC Template: View
- Name : Provider Network: View
- Name : Organization vDC Gateway: View Remote Access
Unfortunetaly, we have been unable to create a user / role that has the required permissions, as we are always getting this result:
- This operation is denied." minorErrorCode="ACCESS_TO_RESOURCE_IS_FORBIDDEN"
The only clue we've found is in this thread on github (Full list of required rights · Issue #139 · vmware/container-service-extension · GitHub ) where it mentions you need the following right:
- Organization: Perform Administrator Queries
However, in the vCloud GUI this permission is nowhere to be found. Is this some sort of hidden permission, or only introduced in a more recent release of vCloud, or...?
Please advise, we're breaking our heads on this one.
Cheers,
Tim