You can use vRealize Orchestrator to limit which personas can see and interact with the workflows. Ideally, only the administrator interacts with workflows in vRealize Orchestrator. Delegated administrators and end users interact with the workflows through the vSphere Web Client or through vRealize Automation.
vRealize Orchestrator Plug-in for Horizon installs several workflows that are organized into directories in the vRealize Orchestrator UI. The API access and Business logic folders are not intended to be modified because their contents form the building blocks of the other executable workflows. To prevent an unauthorized customization of workflows, as a best practice, for certain folders, remove edit permissions for all users except the administrator.
In the Workflows view, you can set the following access rights:
- On the root folder in the left pane, set the access rights so that delegated administrators have only View and Execute permissions.
- On the Configuration folder and CoreModules folder, set the access rights so that delegated administrators have no permissions, and therefore cannot even see the folders. This restriction overrides the permissions set at the root folder.
- On the Business logic folder in the CoreModules folder, set the access rights so that delegated administrators have only View permissions.
- On the API access folder in the CoreModules folder, set the access rights so that delegated administrators have only View permissions.
- On the vSphereWebClient folder, set the access rights so that delegated administrators have only View permissions.
If you are unfamiliar with the procedure for setting access rights, see "Set User Permissions on a Workflow" in the vRealize Orchestrator documentation, available from the VMware vRealize Orchestrator Documentation page at https://docs.vmware.com/en/vRealize-Orchestrator/index.html.
In the Configurations view, you can set the following access rights:
- On the View folder, set the access rights so that delegated administrators have no permissions.
- On all configuration elements inside the View folder, set the access rights so that delegated administrators have only View permissions.
If you are unfamiliar with the procedure for setting access rights, see "Create a Configuration Element" in the vRealize Orchestrator documentation, available from the VMware vRealize Orchestrator Documentation page at https://docs.vmware.com/en/vRealize-Orchestrator/index.html.