Property Toolkit Pre Approval Policy - workflows - 403 error


Failed execution of the "Property Toolkit Pre Approval Policy - Reservation Policy" (or Network Profiles, Disks, or DataCenter Collection) workflows when using SovLabs approval policy. Actual error as follows:

(com.sovlabs.approvalpolicies/getMachinePropertiesForPreApproval) Error in (Dynamic Script Module name : getMachinePropertiesForPreApproval#24) Response object not returned. ERROR: InternalError: 403 (Dynamic Script Module name : getMachinePropertiesForPreApproval#20)


This is caused by the lack of rights to the Entitlement containing the Approval Policy in the Tenant. This is typically because the Entitlement did not include access for the Service Account.

Affected Versions

  • Plugin version 2020.x - when the Property Toolkit Pre-Approval Workflows were introduced as a feature. 

Workaround or Solution


The fix is to ensure the Account that is assigned to the vRA Host (CAFE Host) in vRO is a member of Users or Groups on the Entitlement in vRA.

Check vRA Host configuration in vRO

  1. Open the vRO Java Client, Navigate to the Inventory Tab.
  2. Click on the "vRealize Automation" item, and expand. Select the Host connection that is "shared" for the tenant name where the Approval Policy Entitlement was granted. 
  3. Note the Username of the account.

Grant access to user account on vRA Entitlement

  1. As a Tenant Administrator. Log into the vRA instance. Navigate to Administration > Catalog Management > Entitlements. 
  2. Select the Entitlement given the SovLabs Approval Policy. Click 'Edit'
  3. On the General Tab, Under "User & Groups" add the username or a Custom Group the username belongs to.

Additional information

Plugin Configuration process here:

Have more questions? Submit a request


Please sign in to leave a comment.