To change the parts of the server file system that workflows and the Orchestrator API can access, modify the js-io-rights.conf configuration file. The js-io-rights.conf file is created when a workflow tries to access the Orchestrator server file system.

If the js-io-rights.conf file does not exist on your system, you can create it manually with the default content. For more information, see Manually Create the js-io-rights.conf File.

Orchestrator has read, write, and execute rights to a folder named orchestrator, at the root of the server system. Although workflows have permission to read, write, and execute in this folder, you must create the folder on the server system.


Create the c:/orchestrator folder at the root of the Orchestrator server system.


Navigate to the following folder on the Orchestrator server system.



If you installed Orchestrator with the vCenter Server installer

Go to install_directory\VMware\Infrastructure\Orchestrator\app-server\server\vmo\conf.

If you installed the standalone version of Orchestrator

Go to install_directory\VMware\Orchestrator\app-server\server\vmo\conf.


Open the js-io-rights.conf configuration file in a text editor.


Add the necessary lines to the js-io-rights.conf file to allow or deny access to parts of the file system.

For example, the following line denies the execution rights in the c:/orchestrator/noexec directory:

-x c:/orchestrator/noexec

By adding the preceding line, c:/orchestrator/exec retains execution rights, but c:/orchestrator/noexec/bar does not. Both directories remain readable and writable.

You modified the access rights to the file system from workflows and from the Orchestrator API.