You can use the Orchestrator client to limit which personas can see and interact with the workflows. Ideally, only the administrator interacts with workflows in vCenter Orchestrator by using the Orchestrator client. Delegated administrators and end users should interact with the workflows through the vSphere Web Client or through the service catalog in vCloud Automation Center.

The Horizon vCenter Orchestrator plug-in installs a number of workflows that are organized into directories in the vCenter Orchestrator UI. The API access and Business logic folders are not intended to be modified because their contents form the building blocks of the other executable workflows. To prevent unauthorized customization of workflows, as a best practice, for certain folders, remove edit permissions for all users except the administrator.

Important:

The suggested permission settings listed in this topic are required only if you want to hide the CoreModules folder and the configuration elements inside the View folder from delegated administrators and end users.

In the Workflows view, you can set the following access rights:

  • On the root folder in the left pane, set the access rights so that delegated administrators have only View and Execute permissions.

  • On the Configuration folder and CoreModules folder, set the access rights so that delegated administrators have no permissions, and therefore cannot even see the folders. This restriction will override the permissions set at the root folder.

  • On the Business logic folder in the CoreModules folder, set the access rights so that delegated administrators have only View permissions.

  • On the vCAC60 folder and the vSphereWebClient folder, set the access rights so that delegated administrators have only View permissions.

If you are unfamiliar with the procedure for setting access rights, see "Set User Permissions on a Workflow" in the vCenter Orchestrator documentation, available from the VMware vCenter Orchestrator Documentation page at https://www.vmware.com/support/pubs/orchestrator_pubs.html.

In the Configurations view, you can set the following access rights:

  • On the View folder, set the access rights so that delegated administrators have no permissions.

  • On the viewPodConfiguration, DA-configuration, and PoolPolicyConfiguration configuration elements in the View folder, set the access rights so that delegated administrators have only View permissions.

  • If you have Horizon vCenter Orchestrator plug-in 1.1, also set the access rights on the GuestCredentialConfiguration and SelfServicePoolConfiguration configuration elements in the View folder so that delegated administrators have only View permissions.

If you are unfamiliar with the procedure for setting access rights, see "Create a Configuration Element" in the vCenter Orchestrator documentation, available from the VMware vCenter Orchestrator Documentation page at https://www.vmware.com/support/pubs/orchestrator_pubs.html.