How to configure vRO (vCO) AD permissions on workflows

This is a small “How to” that I was thinking might be useful to some folks having the same requirement as I did today.

before I begin you will see in this post me referring to vRA and vRO as vCAC and vCO as well. This is because the products names changed but not the UI’s so bare with me.

What I was required by the customer here is to setup  access rights on workflows for users from active directory.

In vRO version 5.5.2 that I am working with (embedded in vRA 6.1.1) there are 3 places where there are AD configuration settings.

First is in the vCO configurator where we used to configure the AD plugin that allows us to run workflows infornt of AD, this section is no longer used to configure the plugin, in the new version we configure the plugin using workflows  which is the second place where you can find AD configuration settings.

For the task I am trying to setup here we will set it up in the authentication tab in the vCO configurator.

So how to?

  1. Login to the vCO configurator with user “vmware”
  2. Go to the Authentication section
  3. If vRO is already configured with SSO configuration you will need to unregister it by entering the administrative password  and clicking on “Unresgiter orchestrator” VCO AD Perm 1
  4. Set Authentication mode to “LDAP Authentication” , Change LDAP client to “Active Directory” and input the information in the required fields as follows
    1. LDAP host – Your DC
    2. Root – Distinguished name of your domain , example if my domain is then the root would be dc=lab,dc=com
    3. User name – distinguished name of the user name used to browse the domain
    4.  user lookup base and group lookup base – the paths to the OU or Container where vRO will lookup users and groups. If the domain is very large with many objects (hundreds of thousands) it is recommended to direct it to a subfolder of the domain, if the domain is not that big it is ok to direct to the root of the domain.
    5. vCO admin group – the distinguished name of the admin group for vCO
    6. If you chose to use SSL than click on “SSL certificates” and import the domain certificate by directing the configurator to the DC

      VCO AD Perm 2

      AD authentication

  5. Now to test it click on “test login” tab and input the administrative user you would like to test the login with in a UPN format (

    VCO AD Perm 3

    test login

  6. Now we wil restart the vRO service, click on “startup options” and “Restart service”

    Restart vCO service

    Restart vCO service

Now that we have configured AD authentication in vRO we can setup permissions from AD, but before that if this vRO is part of a vRA deployment (vCAC) instance we need to fix the vCAC authentication with vRO.:

  1. Login to the default tanent in vRA using administrator@vsphere.local usually
  2. Click on “Advanced services”

    Advanced vRA service

    Advanced vRA service

  3. Click on “server Configuration”

    vCOP configuration in vRA

    vCOP configuration in vRA

  4. You will need to switch to “external orchestrator server” even if you are using the embedded one
  5. change the authentication to basic and input the right user to login with.

Now let’s setup some permissions:

  1. Login to the Orchestrator client using the administrative credentials from your AD that you chose previously.
  2. First thing to do is to allow minimal access rights to a group you would like to be able to work with vCO (the permissions work only with groups), On the root folder right click  and select “edit access rights”

    Add permissions in vCO

    Add permissions in vCO

  3. Click on “Add access rights” and type in the name of the group you would like to give access to, make sure to select minimal permissions here such as only “View” and “Inspect”

    Set AD permissions in vCO

    Set AD permissions in vCO

  4. Click Ok and “Save and Close”
  5. Now on any other folder you would like a group to be able to execute a workflow (example) right click and add the required permissions.

That was a quick one, any comments are welcome.




Leave a Reply

Your email address will not be published. Required fields are marked *