| Local Properties | Local Methods | |
Managed Object Types | Data Object Types | All Properties | All Methods |
This should be used to control users and privileges on the host directly, which are different from the users and privileges defined in vCenter.
See AuthorizationManager for more information on permissions.
Properties
Name | Type | Description |
---|---|---|
lockdownMode P | HostLockdownMode |
Current lockdown state of the host.
|
Methods
Methods defined in this Managed Object |
---|
ChangeAccessMode, ChangeLockdownMode, QueryLockdownExceptions, QuerySystemUsers, RetrieveHostAccessControlEntries, UpdateLockdownExceptions, UpdateSystemUsers |
If the host is in lockdown mode, this operation is allowed only on users in the exceptions list - see QueryLockdownExceptions, and trying to change the access mode of other users or groups will fail with SecurityError.
Parameters
Name | Type | Description |
---|---|---|
_this | ManagedObjectReference | A reference to the HostAccessManager used to make the method call. |
principal P | xsd:string |
The affected user or group.
Since vSphere API 6.0 |
isGroup P | xsd:boolean |
True if principal refers to a group account,
false otherwise.
Since vSphere API 6.0 |
accessMode P | HostAccessMode |
AccessMode to be granted.
AccessMode#accessOther is meaningless and
will result in InvalidArgument exception.
Since vSphere API 6.0 |
Return Value
Type | Description |
---|---|
None |
Faults
Type | Description |
---|---|
AuthMinimumAdminPermission | Thrown if this change would render the ESXi host inaccessible for local non-system users. The API ChangeLockdownMode may be used instead. |
RuntimeFault | Thrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error. |
UserNotFound | Thrown if the specified user is not found. |
Events
Type | |
---|---|
None |
This operation will do nothing if the host is already in the desired lockdown state.
When the host is in lockdown mode it can be managed only through vCenter and through DCUI (Direct Console User Interface) if the DCUI service is running. This is achieved by removing all permissions on the host, except those of the exception users defined with UpdateLockdownExceptions.
In addition, the permissions for users 'dcui' and 'vpxuser' are always preserved.
When lockdown mode is disabled, the system will try to restore all permissions that have been removed when lockdown mode was enabled. It is possible that not all permissions may be restored and this is not an error, e.g. if in the meantime some user or managed object was deleted.
It may be possible that after exiting lockdown mode the only permissions on the host will be those of users 'dcui' and 'vpxuser'. This will render the host unmanageable if it is not already managed by vCenter, or if the connection to vCenter is lost. To prevent this, the users in the "DCUI.Access" list will be assigned Admin roles.
While the host is in lockdown mode, some operations will fail with SecurityError. This ensures that the conditions for lockdown mode cannot be changed. For example it is allowed to change the access mode only for users in the exceptions list.
When the host is in lockdown mode, changing the running state of service DCUI through HostServiceSystem will also fail with SecurityError accompanied with an appropriate localizeable message.
Parameters
Name | Type | Description |
---|---|---|
_this | ManagedObjectReference | A reference to the HostAccessManager used to make the method call. |
mode P | HostLockdownMode |
The new desired lockdown mode.
If this is the same as the current lockdown mode state, the operation will silently succeed and nothing will be changed. If this is LockdownMode#lockdownDisabled then lockdown mode will be disabled and the system will start service DCUI if it is not running. If this is LockdownMode#lockdownNormal then lockdown mode will be enabled and the system will start service DCUI if it is not running. If this is LockdownMode#lockdownStrict then lockdown mode will be enabled and the system will stop service DCUI if it is running. Since vSphere API 6.0 |
Return Value
Type | Description |
---|---|
None |
Faults
Type | Description |
---|---|
AuthMinimumAdminPermission | Thrown if the user invoking the operation is not in the exceptions list - see QueryLockdownExceptions. |
RuntimeFault | Thrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error. |
Events
Type | |
---|---|
None |
Parameters
Name | Type | Description |
---|---|---|
_this | ManagedObjectReference | A reference to the HostAccessManager used to make the method call. |
Return Value
Type | Description |
---|---|
xsd:string[] | The list of users which will not lose their permissions when the host enters lockdown mode. |
Faults
Type | Description |
---|---|
RuntimeFault | Thrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error. |
Events
Type | |
---|---|
None |
These are special users like 'vpxuser' and 'dcui', which may be used for authenticating different sub-components of the vSphere system and may be essential for its correct functioning.
Usually these users may not be used by human operators to connect directly to the host and the UI may choose to show them only in some "advanced" UI view.
Parameters
Name | Type | Description |
---|---|---|
_this | ManagedObjectReference | A reference to the HostAccessManager used to make the method call. |
Return Value
Type | Description |
---|---|
xsd:string[] | The list of local system users. |
Faults
Type | Description |
---|---|
RuntimeFault | Thrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error. |
Events
Type | |
---|---|
None |
Parameters
Name | Type | Description |
---|---|---|
_this | ManagedObjectReference | A reference to the HostAccessManager used to make the method call. |
Return Value
Type | Description |
---|---|
HostAccessControlEntry[] | A list of AccessEntry objects. |
Faults
Type | Description |
---|---|
RuntimeFault | Thrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error. |
Events
Type | |
---|---|
None |
Usually these are user accounts used by third party solutions and external applications which need to continue to function in lockdown mode. It is not advised to add user accounts used by human operators, because this will compromise the purpose of lockdown mode.
Both local and domain users are supported. The format for domain accounts is "DOMAIN\login".
When this API is called when the host is in lockdown mode, the behaviour is as follows:
Parameters
Name | Type | Description |
---|---|---|
_this | ManagedObjectReference | A reference to the HostAccessManager used to make the method call. |
users* P | xsd:string[] |
the new list of lockdown mode exceptions.
Since vSphere API 6.0 |
Return Value
Type | Description |
---|---|
None |
Faults
Type | Description |
---|---|
AuthMinimumAdminPermission | Thrown if the user invoking the operation is not present in the new list of exceptions. |
RuntimeFault | Thrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error. |
UserNotFound | Thrown if one of the specified users is not found. |
Events
Type | |
---|---|
None |
Parameters
Name | Type | Description |
---|---|---|
_this | ManagedObjectReference | A reference to the HostAccessManager used to make the method call. |
users* P | xsd:string[] |
the new list of local system users.
Since vSphere API 6.0 |
Return Value
Type | Description |
---|---|
None |
Faults
Type | Description |
---|---|
RuntimeFault | Thrown if any type of runtime fault is thrown that is not covered by the other faults; for example, a communication error. |
UserNotFound | Thrown if one of the specified users is not found. |
Events
Type | |
---|---|
None |
Top of page | Local Properties | Local Methods | |
Managed Object Types | Data Object Types | All Properties | All Methods |