Closed VickyWinner closed 3 years ago
dondon3345678
commented
3 years ago Hi,
Could you specify
Thanks, Daniel
VickyWinner
commented
3 years ago I tried all the combinations available. Not sure what exactly you are looking for. However, here are the details: The role of the user configured in vIDM
Organization member with Service Broker User, Orchestrator Viewer, Cloud Assembly Viewer.
The role of the group configured in the terraform config file (administrator_roles or member_roles or view_roles)
I have groups having all the available roles defined. In all combinations.
How do you verify if a user have the accessibility to the project created by terraform provider?
By logging into using the user member of the group.
dondon3345678
commented
3 years ago Hi,
I tried to reproduce the issue by assigning a user of the group (eg: group@example.com) with the service roles
Then I create a project through terraform configured with group permission
resource "vra_project" "vmc-project" {
name = "test proj"
description = "created via vra terraform provider"
administrator_roles {
email = "group@example.com"
type = "group"
}
}Finally, I can login can see the project in vRA.
Please let me know if I am reproducing the issue in the way you expect.
Thanks, Daniel
VickyWinner
commented
3 years ago @dondon3345678 I am assigning the service role to the group email not the user of the group. I can select the vIDM group name from the drop down and that is how I am assigning the roles to the group email directly. After granting permission to the group email, I will login to UI using the user (who is member of that group) and verify.
dondon3345678
commented
3 years ago Hi,
I tried to assign service role to the group email directly in "Identity & Access Management" -> "Enterprise Groups" Fritz is admin.
Then service roles of every user in the configured group are updated automatically. So that I login with a user in the group through UI and I can see the project. Tony is the user in the group.
githubusersaranya
commented
3 years ago @dondon3345678 Actually you are right when we assign particular role to user or group, we are doing good with manual UI changes , that specific user or group members able to login and have permissions to that project whether as real issue comes when we add Group through terraform code , it is actually adding to that project , but user inside that group are unable to login and consume vRA8 console project access
VickyWinner
commented
3 years ago @dondon3345678, did you looked at what @githubusersaranya mentioned? Are you looking for anything more from my end?
dondon3345678
commented
3 years ago Hi,
Did you manually assign the service role to the user of the group in "Identity & Access Management"? The project IAAS api doesn't assign service role to the user/group automatically when they are added to the project.
VickyWinner
commented
3 years ago Agree @dondon3345678. I had to add the service and organization role(s) to the group using IAM. I did not add to the user of the group.
dondon3345678
commented
3 years ago @VickyWinner could you confirm that after adding user to the group with IAM, the user can login and has the permission of the project when you add role to the group? If yes, then we can close this bug.
VickyWinner
commented
3 years ago @dondon3345678 , I thought I made it clear earlier. here are the steps I followed.
Sync FIM group created in Active Directory (Integrated Windows Authentication) using vIDM
grant Organization and Service roles to the FIM/AD group
create project using terraform and grant access (member/viewer/administrator) to the FIM group using group per code above.
Now when I login using the AD Id which is member of the FIM group, it fails to login.
does this makes sense?
dondon3345678
commented
3 years ago Hi @VickyWinner Let me follow your steps to reproduce
User of the group was granted the same permission
Please let me know if I did any step wrong. Daniel
VickyWinner
commented
3 years ago @dondon3345678, in step 3, any reason you granted org/services roles to FIM/AD group and also the user of the group? I didn't do anything in vIDM or vRA project with the user. all steps in vIDM/vRA IAM were related to to FIM/AD group only. When I login, I login using the user, which is part of the that group.
dondon3345678
commented
3 years ago You have to grant org/service role to the group so that all users of it will be granted the same permissions to access vRA. In step3, the user permission is granted automatically. This is necessary, otherwise the user won't be able to login even though its group has project admin/viewer/user permission.
VickyWinner
commented
3 years ago 
@dondon3345678 I did grant org/service role(s) to the group. After that only I am using terraform to grant access using administrator_roles/member_roles/viewer_roles. In the above steps, any reason you granting access (org/service role) to the user of the group instead of the group itself?
dondon3345678
commented
3 years ago @VickyWinner I didn't grant permission to the user manually, this is done automatically when you grant the permission to the group of this user. So that the user can access vRA services(service broker, Orch, Cloud Assembly).
VickyWinner
commented
3 years ago @dondon3345678 if your test is working correctly, then it could be something wrong in my code. Not sure. So, here is how I am adding multiple FIM groups. There might be something fishy in my code as I can see that when I follow below code, I see fimgroup1 | domain.com under users tab in projects whereas if I am adding a FIM group from GUI, I would see fimgroup1@domain.com | domain.com.
variable "administrators" {
type = list(string)
default = [
"fimgroup1@domain.com",
"fimgroup2@domain.com"
]
}
locals {
administrators = toset(var.administrators)
}
resource "vra_project" "this" {
.
.
.
dynamic "administrator_roles" {
for_each = local.administrators
content {
email = administrator_roles
type = "group"
}
}
}@dondon3345678 am I missing anything in above code?
VickyWinner
commented
3 years ago @dondon3345678 I did try with below code by adding @domain.com additional to the FIM group email argument. It works this way.
member_roles {
email = "fimgroup1@domain.com@domain.com"
type = "group"
}Hi @VickyWinner Happy to hear that it's working now, let me close this issue.
VickyWinner
commented
3 years ago @dondon3345678 It is working through a workaround. Does it mean, that is how it should be provided? Was it that way you tested too by adding FIMgroup1@domain.com@domain.com like doubling the domain name?
dondon3345678
commented
2 years ago Since you are seeing fimgroup1@domain.com | domain.com in UI, that means you need to add this group with double domain name format. I am not sure why the UI is showing this strange format, I saw this double domain name format even in the example I provided above.
vRA version The vRA Cloud / 8.x version where is issue is found. vRealize Automation 8.4.1.16947 (18054500)
Terraform version Terraform v1.0.4
terraform-provider-vra plugin version
Describe the bug This issue is referring to the issue raised here to address the project permissions. After granting administrator/member/vierwer permissions to the project for the group email, there is still no access to the members of that group. I am able to see the usertype as group listed in the service broker-->projects--users.
To Reproduce Steps to reproduce the behavior: Just follow the example and try to grant access to group type AD user following the format. group@domain.com.
Expected behavior Should be able to sync from vIDM and grant appropriate permissions.
Screenshots attached below
Logs Can attach logs if required.
Desktop (please complete the following information):
Additional context Add any other context about the problem here.