Hello,
I'm having an issue where the user can see more information with vCo than should be possible on his account.
I have a user named "Test" with Read-only permissions on a vm folder named "Test" and execute permissions on the workflow "Search vm".
When I execute this workflow I expect it to only find vm's located in this folder.
The workflow has following code to search the vm:
var xpath = "xpath:name[starts-with(.,'" + pattern + "')]";
var vms = new Array();
vms = VcPlugin.getAllVirtualMachines(null , xpath);
This workflow however returns every vm you search for on the vCenter server when run with the test account, like it remains an admin account.
For example it returns the vm object with vm-1177 as id and can view all information and even start new tasks.
When I browse to https://vCenter/mob/?moid=vm-1177 with the test account all fields are unset.
My guess is that vCo only checks if the user has execute permission but runs the workflow with the admin account.
Or am I doing something wrong? And is it even possible to check whether an account has permission to get certain information?
I've found this article in the KB but it didn't answer my question: VMware KB: Orchestrator security overview
Thanks in advance
Thibaut Noben