Specific approver for automation and service catalog item ordered

Hello,

Hello Guys,
i’m really happy since i first met manageiq.
we have a manageiq installation with 3000 vm with awx as external automation provider. We have already build catalogs item that call tower job templates. We configure the visibility of the catalog items that we want to expose to our internal customer with tags. Customers can than order catalog items to us (we are default approver) by using the self service portal. What we need now is to associate a catalog item with a different approver. We basically want to allow customers to order a catalog item to another group, and let that group able to allow or reject that service. We also want that group to see only the request for wich the group is the approver and not all the service request. How can we do that?

Thank you!!!

You might be able to achieve this using separate tenants, and put your groups in the various tenants. You can use tenant RBAC to achieve the separation.

Hope this helps,
pemcg

Thanks a lot pemcg for the reply.
I’ll try the changes you suggest.
What I am wondering, however, is whether this tenant and rbac policy is sufficient to ensure that some catalog items have the group that is the tenant owner as approver.
I ask because what I would like is that certain requests for catalog items (ordered by the self service portal) are seen by the service> request portal only by some particular groups and that they are approvers.

Anyway, thank you for the support!
Your advice and your book have always been inexhaustible sources of inspiration.

We are building a custom approval process that pulls the approver from a json file kept in GitLab.

1 Like

based on the user’s cost center, which is extracted from their group name.

this is a great idea.
How can you do that? I mean, is it possible to reproduce your custom approval process in order to verify if this solution can fit our needs?

Thanks

@Riky90 Here’s a high level description of the process.

In the UI (using Automate methods triggered by the service dialog:

  • parse the user’s group for one of the known cost centers.
  • use the rest-client gem to make a rest call to your git repository to retrieve json object containing approver(s) by cost center.
  • parse the json to make it usable, extract the approver and present it in the UI.

AFTER the request is submitted, you have to do all of the above again because there is NO way to persist that information (unless you write it to a hidden field on the form).

It’s tricky to actually set the approver. Maybe I can give you more info later I have meetings all day every day this week. Sry!

Hello Pemcg,
i done what you suggest and it works exept for an important thing:
the type of catalog items that we offer are all ansible playbook provided by an external awx automation provider and i cant expose them with the user of child tenant.
When i created tenants and implemented rbac for segregation, i’m not able to create service catalog item (ansible tower kind) from the user of the child tenant
but i can create only “generic” kind of catalog items (picture 2b) that after creation are marked as owned by the child tenant.
The strange thing is that the child tenant user can see all job templates under the automate > ansible tower page, but can’t see the provider itself (picture 4-5-6).
How can we solve this final problem?
Thanks a lot for tour help!
I really appreciate it!!

Riccardo!

I normally create 2 types of user group per tenant - an admin equivalent with the role EvmRole-administrator, and a user equivalent with the role EvmRole-user (modified as required). The tenant administrators are then a member of the appropriate admin group, and should be able to see the Tower provider and add the correct service catalog item types.

Alternatively you should be able to create the service catalog items as a Tenant 0 administrator, and specify which additional tenants can see the service, i.e.

pemcg