vRA Entitlements and Approvals

 

Entitlements and Approvals are part of governance in the self-service platform vRA. Entitlements determine which users or groups can request catalog items or perform specific actions on requested items. Approval policies attached to entitled catalog items or entitled actions allow additional controls to the environment. This blog post makes an attempt to give step by step procedure to debug two common scenarios that come up with entitlements and approvals.

 

Debug : Entitled actions not showing up

 

How to do first level analysis :

  1. Go to the resource that is not showing the entitled actions on it. Grab the id of the resource.
  2.  Run API call
    GET 'https://<VRA>/catalog-service/api/consumer/<resourceId>'
  3. The output of this call will reveal various information like :
    1. Resource type
    2. Request which created this resource
    3. Owner
    4. BusinessGroup(subtenant)
    5. operations available on the resource
    6. Resource data
  4. Now Get the entitlements which belong to this BusinessGroup ordered by priority
  5. Run API call
    GET 'https://<VRA>/catalog-service/api/entitlements/?$filter=organization/subTenant/name%20eq%20%27<BG NAME>%27&$orderby=priorityOrder%20asc'
  6. In each of these entitlements
    1. Is the owner of the resource present in the users or groups added in this entitlement.
    2. Is the flag localScopeForActions=true on the entitlement for entitled actions
    3. If localScopeForActions = true
      1. Get the deployment  of this resource and grab the Id
      2. Run API call
        GET "https://<VRA>/catalog-service/api/consumer/resources/<deploymentId>"
      3. The deployment will have the catalog item id on it. get the service it belongs to.
      4. Either the catalog item or the service should be part of the entitlement – entitled catalog items or entitled services respectively.
      5. If you find and entitlement that supports above, then all the entitled actions on this entitlement should show up for the resource.
    4. If localScopeForActions = false
      1. The entitled actions on entitlement for the given owner and Businessgroup should show up for the resource.
  7. After doing the above triaging, if we still see issues with entitled actions it needs deeper look at the system.
  8. Interestingly if only the IAAS side actions are not showing up even though the user is part of the group that is entitled in a BG with actions, we may need to check if the user-groups in IAAS are in sync with identity service.

       

Debug : Approval Request not received.

 

How to do first level analysis :

  1. When ever a request is made in VRA, the system checks if the user has required permissions and entitlements to make the request. Once the system identifies the entitlement which allows the user to make the request, the entitlement is set as requestor entitlement on the request.
  2. The following logs can be found in /var/log/vmware/vcac/catalina.out for given request number:
    • [requestNumber=137, state=POST_APPROVED, requestedFor=[email protected], requestedBy=[email protected], description=Test, reasons=Test 10-06, organization=Organization[tenant=Tenant [id=vsphere.local, name=vsphere.local],subTenant=SubTenant [id=4d090590-2bd6-4f7a-a2ce-4feb5403ee62, name=BG Sulamerica, tenant=Tenant [id=vsphere.local, name=vsphere.local]]], requestorEntitlement=Entitlement: [id=abe9cfce-21d7-4dec-a9d1-5faa1f3770cc] [name=AllServices] [status=ACTIVE] principals: [Principal [tenantName=vsphere.local, ref=[email protected], type=SSO_GROUP, name=vRA_User], Principal [tenantName=vsphere.local, ref=[email protected], type=USER, name=Admin Vra]] entitledServices: [EntitledService: [approvalPolicyId=null] [serviceId=cc806cd5-21cf-43e8-97e9-d15c2ae48bf0] [serviceName=XYZ1], EntitledService: [approvalPolicyId=null] [serviceId=fa3a02d1-3c15-46b3-bd2e-9024f442cb1c] [serviceName=XYZ2]]
  3. The above kind of logs help us identify what entitlement is being used for the request, what services and catalog items are entitled as part of request and what approval policies are assigned to each entitled service or entitled catalog item.
  4.  Once we know which entitlement is used to complete the request, we can also verify the same from UI. When there are lots of entitlements, some times the approval policies might get assigned to a lower priority entitlement etc so the approval policy does not get triggered.But if there is an approval policy assigned on the requestor entitlement, there should be approval work item in inbox. Else it calls for deeper look at the system.
  5. Another way to verify the above – go to approval policy on VRA UI and click on “view linked entitlements” and see if there are any entitlements showing up there.If no, approval policy is not configured to the corresponding catalog-item/service/resource-action in an entitlement. If yes, verify that there is an entitlement in them with given requestorEntitlement logged in catalina.out for the request.
  6. https://pubs.vmware.com/vra-62/topic/com.vmware.vra.tenant.administration.doc/GUID-F6B95A7D-6A64-4DF4-BFC8-5A41C4C5EFA5.html

 

https://blogs.vmware.com/management/2018/02/vra-upgradegovernance-debug-tips.html post will make an attempt to list known user errors causing governance migration failure scenarios and debugging steps when migrating from 6.x to 7.x.

 

 

Refer to https://blogs.vmware.com/management/2017/05/vrealize-automation-api-samples-for-postman.html for API examples.