• An Aria Automation workflow executes successfully when triggered by a local user but fails with a 403 Forbidden error when run by domain users with an error message similar to:

{"message":"forbidden","statusCode":403,"errorCode":0,"serverErrorId":"uuid","documentKind":"com:vmware:xenon:common:ServiceErrorResponse"}

• Non-admins, domain users included, consistently receive HTTP 403 responses.

• Workflow may fail anywhere in the deployment process if updating InputProperties during the workflow run.

• Plugin is confirmed working when tested with admin credentials and “Shared Session” configuration.

VMware Aria Automation 8.14 and above

VMware Aria Automation Orchestrator 8.14 and above

Note: When Orchestrator is configured to use Automation as an authentication source if in a external standalone configuration.

This issue occurs due to a mismatch between user permissions and the session mode configured for the Aria Automation host connection in Orchestrator.

• In Per User Session mode, workflows run under the context of the logged-in user. Domain users without the necessary permissions in vRA (such as Orchestrator Administrator) will fail certain API and workflow operations.

• Without Shared Session mode, non-admin users lack the privilege elevation needed to complete privileged workflow tasks.

Use Shared Session

1. Log into Aria Automation Orchestrator as an Orchestrator Administrator.

2. Run the Add Aria Automation Host workflow.

3. Set the Session Type to Shared Session.

4. Authenticate using a System Directory service account (e.g., configadmin) that has administrative permissions in:

   • Aria Automation Orchestrator

   • Aria Automation Assembler

   • Aria Automation Service Broker

5. After successful connection, update any workflow inputs or Configuration Elements in your workflows to reference the newly created VRA:Host object tied to this shared session.