vRealize Orchestrator allows you to configure permissions for users in your authentication domain to access your vRO deployment with different types of access. While you might want administrators to access your workflows from the vSphere Web Client sometimes there will still be users that need access with the vRO client. One example is a group of developers that you only want to allow access to one or just a few folders in your vRO environment.
To assign permission to users I expect that most customers will want to use Active Directory user accounts for this purpose. Therefor I first explain how your Platform Services Controller can be integrated with an AD Domain. But first let's have a look at the Authentication Provder information in the vRealize Orchestrator Control Center. (Accessible at https://your-vro-server:8283/vco-controlcenter)
In the image below you can see that my vRO server uses my platform services controller (psc01.vmwarebits.local) with the default vSphere.local domain. But because I have integrated the PSC with AD it is also possible to use users from AD to authenticate to vRO.
Adding the Platform Services Container to AD
Log in to the vSphere Web Client with an administrative account and navigate to Home - Administration - System Configuration. From here you can access the configuration of your PSC-node(s). If you have an external PSC it will be a separate node. If you have an embedded deployment with PSC and vCenter in one appliance then it would be only one node. On the PSC node under the manage tab you find the option to add the Platform Service Controller to your AD Domain.
After configuring this you must restart the PSC appliance. (Restart the VM or navigate to the appliance management interface on port 5480 (https://your-psc:5480).
Next access the Single Sign On configuration to add your Active Directory Domain as an Identity Source. Because you have integrated the PSC with the domain you can choose to use the Integrated with Windows option, which is simpler than the LDAP-option.
Adding Permissions to vRealize Orchestrator
Now that the integration with AD has been taken care you can add permissions for Active Directory groups to the vRO configuration.
vRO only allows the configuration of permissions for groups, not for individual users.
It is important to first configure at least view-permissions at the top-level of your vRO inventory. To do that right-click the top-most object and select Edit Access rights.
The edit dialog let's you search for AD groups to add those for the permissions View, Inspect, Execute, Edit and Admin. (These permissions are explained in the vRealize Orchestrator Documentation.)
With these basic permissions set users that belong to the AD group you have specified can login to vRO and execute workflows. In my examle I have configured View, Inspect and Execute rights, but you can also configure just View-permissions and then only allow Execute-rights or Edit-rights on a lower level.
In the screnshot below you see an example of a developers-group that has Edit-access on just one folder in the inventory.