After upgrading to VCF Orchestrator 9.0.2 (formerly VMware Aria Orchestrator), users assigned the Workflow Designer role may find they only have read-only access to workflows. You are unable to edit or execute workflows you previously managed.

Symptoms:

• Users see a "Read-Only" banner or lack Edit and Run buttons in the Orchestrator Client.
• Promoting the user to a full Administrator role resolves the issue, but downgrading back to Workflow Designer returns them to read-only status.
• The issue persists even if you are the owner of the workflow.

• Product: VCF Orchestrator 9.0.2
• Upgraded From: VMware Aria Orchestrator (vRO) 8.x

This behavior occurs because you are assigned multiple roles that conflict. Orchestrator roles follow a "most restrictive" logic for non-admin accounts. If you are assigned both the Workflow Designer (Developer) role and the Viewer role (either directly or via group membership), the Viewer role takes precedence, restricting you to read-only access.

To resolve this issue, you must remove the restrictive Viewer role from your account or your associated groups:

1. Log in to the VCF Orchestrator Client as an Administrator.
2. Navigate to Administration > Users and Groups.
3. Search for your user account and identify all Identity Provider groups you are a member of.
4. Check the roles assigned to each of those groups.
5. Remove the Viewer role from any group that you belong to.
6. Ensure you belong to a group assigned the Workflow Designer role.
7. Log out and log back in to refresh your session permissions.

• Administrator role: Bypasses all ACLs and restrictive roles.
• Workflow Designer (Developer): Allows viewing, creating, and running workflows.
• Viewer: Strictly limits you to viewing only.
• If you require both Administrator and Viewer roles for different contexts, the Administrator role will override the Viewer restriction.