You can use Orchestrator to limit which personas can see and interact with the workflows. Ideally, only the administrator interacts with workflows in vRealize Orchestrator. Delegated administrators and end users should interact with the workflows through the vSphere Web Client or through vRealize Automation.

The Horizon vRealize Orchestrator plug-in installs a number of workflows that are organized into directories in the vRealize Orchestrator UI. The API access and Business logic folders are not intended to be modified because their contents form the building blocks of the other executable workflows. To prevent unauthorized customization of workflows, as a best practice, for certain folders, remove edit permissions for all users except the administrator.

Important:

The suggested permission settings listed in this topic are required only if you want to hide the CoreModules folder and the configuration elements inside the View folder from delegated administrators and end users.

In the Workflows view, you can set the following access rights:

  • On the root folder in the left pane, set the access rights so that delegated administrators have only View and Execute permissions.

  • On the Configuration folder and CoreModules folder, set the access rights so that delegated administrators have no permissions, and therefore cannot even see the folders. This restriction will override the permissions set at the root folder.

  • On the Business logic folder in the CoreModules folder, set the access rights so that delegated administrators have only View permissions.

  • On the API access folder in the CoreModules folder, set the access rights so that delegated administrators have only View permissions.

  • On the vSphereWebClient folder, set the access rights so that delegated administrators have only View permissions.

If you are unfamiliar with the procedure for setting access rights, see "Set User Permissions on a Workflow" in the vRealize Orchestrator documentation, available from the VMware vRealize Orchestrator Documentation page at https://www.vmware.com/support/pubs/orchestrator_pubs.html.

In the Configurations view, you can set the following access rights:

  • On the View folder, set the access rights so that delegated administrators have no permissions.

  • On all configuration elements inside the View folder, set the access rights so that delegated administrators have only View permissions.

If you are unfamiliar with the procedure for setting access rights, see "Create a Configuration Element" in the vRealize Orchestrator documentation, available from the VMware vRealize Orchestrator Documentation page at https://www.vmware.com/support/pubs/orchestrator_pubs.html.