Hello - Let me start by explaining the environment and then the situation. We are on BSA 8.2 SP3 and have a vCenter server hooked up to BSA. The application servers are RHEL 5.5 with the database being SQL Server (2008 STD) on a Windows 2008 cluster. The vCenter server is 5.0 and has the latest RSCD agent installed and the latest "VMware vCenter Server" configuration objects have been pushed to it using a DCO job.
We are able to generate virtual guest packages (VGPs) based off of a vmware template and also create and run the virtual guest job (VGJ) derived from the VGP. This works great as either a role that has the authorizations to do this or in the BLAdmins role. The VM is created as expected.
However we would like to provide other roles access to this VGJ in order to execute it only; without allowing them to make any changes to the VGJ. In other words, one or more roles are the creator of these VGPs and VGJs with another role(s) being the consumer of them.
Our RBAC setup is utilizing ACL policies for most everything except for the situations where a specific authorization is warranted. Each role has it's own ACL policy. The creating roles appear to be fine in terms of what authorizations are assigned: the role can create, edit, execute, etc. without issue. The consuming role in this case has the following authorizations courtesy of the role's ACL policy:
When the consuming role attempts to execute or even open the VGJ, the error.png (attached) is received.
The VGP and VGJ in question both have the consuming role's ACL policy applied (with the authorizations mentioned above). I even added the specific authorizations to the VGJ and VGP but that did not resolve it.
I have ISS04102659 opened with BMC support to address, but we haven't found anything definitive yet as to what is causing it.
Has anyone run into this before? I am wondering if it's our RBAC setup, how the VGP and VGJ are generated, or even a potential bug in BSA.
That ticket has a bunch of information on it, for those that are able to get to that info. I attached some of the pertinent items here though.
Additionally in working with support yesterday I was asked to take a look at the effective permissions as the consuming role. I ran into a similar, but different error, when attempting to do that. I was able to pull up the effective permissions as BLAdmin. These are attachments ISS04102659_20130408.docx and ISS04102659_20130408_stackTraces.txt.
Thanks in advance!
Using the search functionality within BSA, I happened to pull up even the hidden BLPackages behind the scenes when searching the depot for the VGP. I found the same object referenced in the error message but it's a BLPackage not a virtual guest package per what the error is stating. I went ahead and set the consuming role's ACL policy and also the specific authorizations on this hidden BLPackage but that did not resolve the issue either.