So why combine those two in one article?
The former is really needed to make the latter more … convenient.
Without emails approvals can be cumbersome – at least for the approver.
Here I will demo approval policies based on price and imagine you need the approval of a CFO / CIO – the last you want him to do (which I am sure would delay approvals for God knows how long) is them having to login to the portal to approve requests.
Email is the way to go – this way they can do that from their Blackberry (do they still exist?)
Anyway, let’s get started.
First, here you can see I have three email accounts.
- This is the mailbox vRA will use to send and receive approval requests between user and approver. In fact, you wouldn’t / shouldn’t really have it configured in an email client to being with to avoid approvals ‘getting lost’ – but this is to illustrate what really happens from the flow-point-of-view
- vRA Admin – God who rules them all … He will approve requests
- Monkey with the spanner .. or rather mouse .. asking for stuff
First we need an Incoming and Outgoing email server. The incoming server is used for things like approvals. vRA will read the inbox (via IMAP) and when there are approvals outstanding – does with them whatever it needs to.
Outgoing server is for things like notifications etc. These servers can be configured by a Tenant Admin – overwriting the Global setting …
… or as mentioned – globally. Which I will do here. Login as System Administrator to the default Tenant vsphere.local
Select Email Servers. Click New
Select Email – Inbound
Enter your email details and click Test Connection. Ensure the test was successful. As I said, here I am using firstname.lastname@example.org. Emails sent to the approver will come from this email address and will respond to (with the respective responses)
Repeat the process with Email – Outbound
Now log into the portal as an admin again – time to created those approval policies.
One note regarding notifications.
Make sure notifications are enabled on the users 🙂
Now navigate to Administration > Approval Policies
Now create a new policy. Here I create one of type Service Catalog – Catalog Items Request – Virtual Machine
Here give it a name and set the status to Active. Here I will configure a Pre Approval policy. The difference is that POST approvals are sent to the approver after the deployment has finished. This can be helpful for staging deployments.
So once the approver gives his stamp – the deployment is ‘unlocked’ for the user.
Here though I don’t want anything to happen until there is an approval. Imagine being a Service Provider under VSPP. As soon as the VM is on, you are being billed by VMware – so I need to avoid that.
First give it a name and set the approver – here my admin.
Tick Required based on conditions under When is approval required?
Here you can see that a Blueprint of mine costs £2.29 / day
So here I select Cost as condition
Here you can see I configured an approval requirement when the cost is > £2
So it should trigger that by default essentially.
You can also see a tab for custom properties. Whether they make sense or no, is a different story, but here you can see a real customer’s requirement. The approver had to set the network details as they did not have any automated DNS / IPAM solution
Anyway, back to cost. Here I want vra-admin to approve any request which costs more than £2 / day – which effectively is any request
Click OK twice. One thing to note – once saved – for (hopefully) obvious reasons – policies cannot be changed. You will have to delete / re-create them. All to do with security / audit stuff I believe.
Next we need to attach the approval policy to an entitlement.
Under Catalog Management > Entitlements, select your entitlement which contains the blueprints you want to attach to said approval policy
Here you can see that I have entitled the services only – which is inherited down to the blueprints. However, my approval policy isn’t based on a service, but machine. So I cannot select a policy here.
Under Entitled Items click “+”
Now tick the Blueprint in question .. BUT OH NO – no policy
Again remember, the policy is based on machine – this is a blueprint. Select Show All
Now you should be able to select the newly created policy
The policy should now be attached to the Blueprint
Time to test.
As user I now request a Blueprint costing more than £2 / day
You can now see the request is Pending Approval
Let’s jump into the inbox of the approver – vRA Admin
The admin has now an option to either decline or approve the request
Assuming the user has notifications enabled – he should get an email about the request
As mentioned – without email the admin relies on the portal to approve or reject requests
When the admin now clicks the Approve link in the email – you can see that it will send an email to the approver mailbox – not the admin – but the system mailbox configured
vRA will now monitor the inbox – here the mail is still unread.
The message eventually disappears.
This is because I have specified that emails should be deleted once processed – see Inbound Server settings
The user will now get an email that the request has been Approved
And again, good to see that notifications have worked – as you can see the request here failed
This is unrelated to the approval though 😀
May have played with … stuff … in the meantime …
Anyway, you can see why it might be a bad idea to setup the approvals mails box (system mailbox) in someone’s mail client.
You can end up with mails getting lost / deleted / read etc., essentially breaking the approval process and the admin then either needs to restore said mail or jump back onto the portal.
Oh, and that is what the approval process looks like from the portal
If you want to change the look of those emails – have a look HERE.