Prerequisites:
1. vCenter Server instance is added in vRA (version v7.2) as a vSphere Endpoint using an administrator user account with full privileges on the vCenter Server.
2. The "vmuser" in the same vCenter Server has fewer privileges e.g. the default "Virtual machine user (sample)” role on the vCenter Server and entitled to a vRA Blueprint that provisions virtual machine(s).
Scenario:
The “vmuser” submits the Blueprint request that creates virtual machine(s) on the vCenter Server.
The Blueprint execution completes successfully creating the specified virtual machine(s). The operations are executed in the context of the service account i.e. the administrator user account with full privileges used for adding the vCenter Server in vRA as vSphere Endpoint.
Also, note that the “vmuser” has no permission to create a virtual machine (it has the default "Virtual machine user (sample)” role on the vCenter Server) and with entitlement to Blueprint in vRA the restricted user created virtual machine(s).
What options are available if I want to execute the vRA Blueprint in the context of the “vmuser” – the user that initiated the vRA Blueprint instead of the service account used for adding the vCenter Server in vRA as a vSphere Endpoint?
Appreciate your thoughts, suggestions, comments on this.
Note: For example, vRealize Orchestrator has an option of using "session per user" while adding vCenter Server in the vRO. vRO with "session per user" mode the vRO workflow operations on the vCenter Server will be executed in the context of the actual vRO user that initiated the vRO Workflow instead of the service account used for adding vCenter Server in vRO. Is there any similar option available in vRA? (vRO permissions - hardening RBAC, Security )
