vCloud Director version 9.1 introduced the ability to easily create custom services and display them in the new user interface as tiles under Service Library. The services are created in vRealize Orchestrator as workflows and then presented to tenants or system administrators with simple categorization.
The screenshot below shows the Service Library with Backup and User Management categories and some services that I created for demonstration.
The actual feature is not very well documented so I will show on one simple (but useful) example how to implement it.
I am going to create Change LDAP Password service tile. While vCloud Director UI allows changing passwords for local users, users that are imported from integrated LDAP cannot change their password via vCloud Director UI so adding such service actually makes sense.
- Set up vRealize Orchestrator: as system admin log in into the provider H5 UI (https://<vcd-UI>/provider) and set up connection to external vRealize Orchestrator server (that obviously must be installed and configured first). Note that for this example we will not need any custom plugins. Content Libraries > Library Administration > Service Management > vRO Servers
- Set up Service Categories in the next menu.
- Make sure that users have access to the Service Library. This is controlled with new rights under section Additional Services. I have added all three rights to the global Organization Administrator role and also to all existing organizations. You can obviously add them to also less privileged roles. This must be done via vCloud API.
- Prepare the workflow in the vRealize Orchestrator (vRO). I assume the reader already knows how to create generic vRO workflows so I will not go into too much detail. You must configure the built in Microsoft Active Directory plugin with the Add an Active Directory server configuration workflow.
- In very high level, the workflow execution will consist of the following steps:
- Presentation window to collect Password and confirmPassword values and compare them for validation. Note that I did not succeed using SecureString variables (vCloud Director seems to not support them) and had to use simple string type which results in password being visible on the screen.
- Next we will get some custom properties from vCloud Director. You can use four of them: _vcd_orgName, _vcd_orgId, _vdc_userName (sic!) and _vdc_isAdmin (sic!!). In my Active Director I have the following OU structure for each org:
Each vCloud Director organization has its own OU under VCD organization unit. The OU name matches the Organization name.
To get the custom properties you need to create custom action (in my case Load VCD Inputs with the following script):
As can be see from above screenshot, I only need _vcd_orgName to find the OU and _vdc_userName to find the user account in AD. - The next step is built in getOrganizationUnitFromOrganizationUnit action that can be found under com.vmware.library.microsoft.activeDirectory. As inputs I am supplying value equal to the container of my parent (VCD) OU and the org name as string. The output is the organization OU.
- Now we can find the user object based on org OU and username string. This is done with getUserFromContainer action (again from com.vmware.library.microsoft.activeDirectory).
- As mentioned in the beginning I was forced to use String type variable for the password, but the change password action requires Secure String. This simple action will provide the conversion.
- The last step is to change the password with setUserPassword action (found in com.vmware.library.microsoft.activeDirectory).
- Now we can save the workflow and give it a proper description that will be visible to tenants.
- Back in vCloud Director we can now in the provider UI import the workflow into Service Library. This is done at: Content Libraries > Services > Service Library > Import. Simple wizard will ask for target library (category), source vRO and the workflow.
- Once a workflow is imported it can be Published to system admins, all or subset of tenants. Find the workflow tile and select Manage.
That is all. Test as tenant logged in with LDAP account in the new H5 UI.
Observe and troubleshoot the workflow execution in vRO.
Tom Fojta's Blog 
This is awesome! Thanks for sharing!
Would it be possible for you add a few screenshots of what it looks like when a customer executes the service from vCD? I think that would add icing to the cake.
Sure. Added screenshot at the end of the article.
Works great! Thanks!
Hi Tomas, Thanks for sharing, especially the Customer Properties. Are there any others? I cant seem to find any information abut them. I was hoping that there was a parameter for the vCD host. We have several datacentres and each has its own vCD so to have a single workflow that i can use in all DCs i need to know the host that sent the request.
Thanks
Only four at the moment: https://docs.vmware.com/en/vCloud-Director/9.1/com.vmware.vcloud.spportal.doc/GUID-024B3517-EB84-460A-A048-58E1ED7469F3.html
Thanks, are these available to use for presentation validation and predefined list of elements? I am getting null when using var org = System.getContext().getParameter(“_vcd_orgName”); in an action that returns a list of VDCs that the org has.
As current workaround you might create individual service accounts for each vCD, and use the different accounts when configuring vRO into vCD.
Then you can use Server.getRunningUser() (or getCredential()) within the workflow to get the user that’s used (this service account that’s used by vCD to start the workflow) to start the workflow.
Additional benefit: the user field is also shown in the workflow token and event lists in the client, gives you a nice overview of which user (so which vCD) started what execution…
The getContext() unfortunately is not available in the actions that are used for input presentation, as these actions are run before the actual workflow is being kicked off. So at that time there is no workflow execution context yet.
That’s a limitation of vRO I think.
But I totally agree that this would be super helpful, to allow the creation of “tenant aware” input form logic.
Hi, thanks joerglew for the idea, using a site based user for the vcd-vro integration user works a treat. Thats one step closer!
Ian..
On 9.1 vCloud I could only request GET https://vcdfqdn/api/admin/org//rights using API version 27.0.
Using other API does not list the RightReference you will only receive one line of XML
Will this still work if vCenter and vCloud Director are on completely different, not-federated AD domains? If so, are any of the steps different? We have our vCenter on a “management” AD domain and vCloud on a “client” AD domain. We currently do not have vRO deployed, so if that changes how we’d setup vRO, that would be good to know. Thanks!
Yes. vRO needs access to AD used by VCD for tenants.
Hi- this seems very useful! Can the service library items be called via the vCloud API as well, by users, programmatically? Essentially launching vRO workflows via vCD? Thanks
Yes, via OpenAPI: https://vdc-download.vmware.com/vmwb-repository/dcr-public/772aa4c5-7e61-4d80-8432-b8e0d821c969/2747ec83-6aef-4560-b1d1-55ed9adc4e73/vcd-openapi-docs.html#api-VroWorkflowExecution-startWorkflowExecution
Hi Tomas, I have been trying to do something similar, for local users. 9.7 says that secureString is a valid type. I have a form with 2 secureStrings for password and repeat password, in the code i convert these to string and compare them, but they are never the same, even when i pasted the values. does 9.7 really allow securestring and if so, do i need to do anything to be able to use it?
Thanks
Ian.
Happen to have any experience or knowledge if you can let a tenant manage their OU for tasks like add users to a group, remove users from a group, create or modify users accounts like disable them, update email address etc etc? I run a SaaS style environment and I’ve had a hard time finding something that would allow a tenant some self service. I would also need to check group membership on a user add and make sure they have been removed from for example Default Group if being added to Default Plus group or vice versa. It would be nice to get a drop down of users and groups within an OU for those types of tasks unless a list view could be used. I have no experience with vRO other than having installed it and hooked it into vCD but nothing more has been done so I’m open to consulting work if anyone is can achieve what I’m trying to do, thanks.
Check this out: https://github.com/groupe-sii/lumext
This looks very promising, thank you
Hi Chad. For SaaS style or provider environment I’d recommend you to definitely look at offering vRO based services in XaaS fashion. vCD 9.7 onwards provides excellent and strong integration opportunities where you can expose any services to users via vCD service library, either via the portal, or the API. Unless you are looking at LDAP only in which case LUMExt is great. With vRO you can create and expose virtually any service – storage, backup, service desk requests, management etc
That is exactly what I have in mind using the service library, I want to see if I can use vRO with vCD to do other tasks like stop and start services and restore databases like Live over Pilot. I’ve looked at so many service provider portals but nothing really hit the mark or are so Windows centric it just didn’t work in my design and having clients depend on me for things that would take them 10 seconds after they realize there is an issue is ideal because a 2 hour turn around with back and forth Email against a service desk isn’t ideal when it could have been handled by the client within a couple minutes and made even easier with a button click in vCD library.
Tom,
Do you have a resource suggestion for building the workflow itself? I’m completely unfamiliar with building workflows, so I can basically do everything above except the numbered steps.
Thanks.
https://www.vcoteam.info/articles/learn-vco.html