Actions run on deployed catalog items. Provisioned catalog items, and the actions you are entitled to run on them, appear in your Items tab. To run actions on a deployed item, the action must be included in the same entitlement as the catalog item that provisioned the item from the service catalog.

For example, entitlement 1 includes a vSphere virtual machine and a create snapshot action, and entitlement 2 includes only a vSphere virtual machine. When you deploy a vSphere machine from entitlement 1, the create snapshot action is available. When you deploy a vSphere machine from entitlement 2, there is no action. To make the action available to entitlement 2 users, add the create snapshot action to entitlement 2.

If you select an action that is not applicable to any of the catalog items in the entitlement, it will not appear as an action on the Items tab. For example, your entitlement includes a vSphere machine and you entitle a destroy action for a cloud machine. The destroy action is not available to run on the provisioned machine.

You can apply an approval policy to an action that is different from the policy applied to the catalog item in the entitlement.

If the service catalog user is the member of multiple business groups, and one group is only entitled to power on and power off and the other is only entitled to destroy, that user will have all three actions available to them for the applicable provisioned machine.

Best Practices When Entitling Users to Actions

Blueprints are complex and entitling actions to run on provisioned blueprints can result in unexpected behavior. Use the following best practices when entitling service catalog users to run actions on their provisioned items.

  • When you entitle users to the Destroy Machine action, entitle them to Destroy Deployment. A provisioned blueprint is a deployment.

    A deployment can contain a machine. If the service catalog user is entitled to run the Destroy Machine action and is not entitled to run the Destroy Deployment, when the user runs the Destroy Machine action on the last or only machine in a deployment, a message appears indicating that they do not have permission to run the action. Entitling both actions ensures that the deployment is removed from your environment. To manage governance on the Destroy Deployment action, you can create a pre approval policy and apply it to the action. This policy will allow the designated approver to validate the Destroy Deployment request before it runs.

  • When you entitle service catalog users to the Change Lease, Change Owner, Expire, Reconfigure and other actions that can apply to machines and to deployments, entitle them to both actions.