Scripting Object - VcHostAccessManager

Scripting-object corresponding to
HostAccessManager
Attribute of
VcHostConfigManager

Scripting Object Description

Managed object used to control direct access to the host.

This should be used to control users and privileges on the host directly, which are different from the users and privileges defined in vCenter.

See {@link vim.AuthorizationManager} for more information on permissions.

Attributes

Name Type Description
idString

@since Unknown
lockdownModeVcHostLockdownMode

@since vSphere API 6.0
morefVcManagedObjectReference

returns the ManagedObjectReference of this ManagedObject @since Unknown
sdkConnectionVcSdkConnection

@since Unknown
sdkIdString

@since Unknown
typeStringDeprecated.

Returns the name for the this managed object's vim type @since Unknown
vimHostVcSdkConnection

@since Unknown
vimIdString

@since Unknown
vimTypeString

@since Unknown

Methods

Methods defined in this Scripting Object
_getRef, changeAccessMode, changeLockdownMode, createTrigger, queryDcuiAccess, queryLockdownExceptions, querySystemUsers, retrieveHostAccessControlEntries, updateDcuiAccess, updateLockdownExceptions, updateSystemUsers

updateSystemUsers

Update the list of local system users. The special users 'dcui', 'vpxuser' and 'vslauser' need not be specified. They are always reported in the list of system users. @since vSphere API 6.0

Parameters

NameTypeDescription
arg0String []


Return Value

Type Description
None

_getRef

@since Unknown

Parameters

NameTypeDescription
None

Return Value

Type Description
VcManagedObjectReference

updateDcuiAccess

Update the list of local users which are granted unconditional access to DCUI, even if their {@link AccessMode} on the host is not {@link AccessMode#accessAdmin}.

The list must contain at least one entry.

TODO: when this list has its own dedicated UI in NGC:

  • promote this method to an official API version.
  • deprecate the advanced option "DCUI.Access" by making it hidden first.
  • remove this TODO note. @since vim unstable version

    Parameters

    NameTypeDescription
    arg0String []


    Return Value

    Type Description
    None

    createTrigger

    @since Unknown

    Parameters

    NameTypeDescription
    timeoutNumber

    filterString

    conditionString

    filterToSyncString


    Return Value

    Type Description
    Trigger

    queryDcuiAccess

    Get the list of local users which are granted unconditional access to DCUI, even if they don't have full-access administrator role on the host.

    This is the same as the host advanced configuration option "DCUI.Access".

    TODO: when this list has its own dedicated UI in NGC:

  • promote this method to an official API version.
  • deprecate the advanced option "DCUI.Access" by making it hidden first.
  • remove this TODO note. @since vim unstable version

    Parameters

    NameTypeDescription
    None

    Return Value

    Type Description
    String []

    querySystemUsers

    Get the list of local system users.

    These are special users like 'vpxuser', 'vslauser' and 'dcui', which may be used for authenticating different sub-components of the vSphere system and may be essential for its correct functioning.

    Usually these users may not be used by human operators to connect directly to the host and the UI may choose to show them only in some "advanced" UI view. @since vSphere API 6.0

    Parameters

    NameTypeDescription
    None

    Return Value

    Type Description
    String []

    updateLockdownExceptions

    Update the list of users which are exceptions for lockdown mode.

    Usually these are user accounts used by third party solutions and external applications which need to continue to function in lockdown mode. It is not advised to add user accounts used by human operators, because this will compromise the purpose of lockdown mode.

    Both local and domain users are supported. The format for domain accounts is "DOMAIN\login".

    When this API is called when the host is in lockdown mode, the behaviour is as follows:

  • if a user is removed from the exceptions list, then the permissions of that user are removed.
  • if a user is added to the exceptions list, then the permissions of that user are restored. @since vSphere API 6.0

    Parameters

    NameTypeDescription
    arg0String []


    Return Value

    Type Description
    None

    retrieveHostAccessControlEntries

    Retrieve access entries. Returns a list of AccessEntry objects for each VIM user or group which have explicitly assigned permissions on the host. This means that {@link AccessMode#accessNone} will not be present in the result. @since vSphere API 6.0

    Parameters

    NameTypeDescription
    None

    Return Value

    Type Description
    VcHostAccessControlEntry []

    queryLockdownExceptions

    Get the list of users which are exceptions for lockdown mode. See {@link #updateLockdownExceptions}. @since vSphere API 6.0

    Parameters

    NameTypeDescription
    None

    Return Value

    Type Description
    String []

    changeAccessMode

    Update the access mode for a user or group.

    If the host is in lockdown mode, this operation is allowed only on users in the exceptions list - see {@link #queryLockdownExceptions}, and trying to change the access mode of other users or groups will fail with SecurityError. @since vSphere API 6.0

    Parameters

    NameTypeDescription
    arg0String

    arg1Boolean

    arg2VcHostAccessMode


    Return Value

    Type Description
    None

    changeLockdownMode

    Changes the lockdown state of the ESXi host.

    This operation will do nothing if the host is already in the desired lockdown state.

    When the host is in lockdown mode it can be managed only through vCenter and through DCUI (Direct Console User Interface) if the DCUI service is running. This is achieved by removing all permissions on the host, except those of the exception users defined with {@link #updateLockdownExceptions}.

    In addition, the permissions for users 'dcui', 'vpxuser' and 'vslauser' are always preserved.

    When lockdown mode is disabled, the system will try to restore all permissions that have been removed when lockdown mode was enabled. It is possible that not all permissions may be restored and this is not an error, e.g. if in the meantime some user or managed object was deleted.

    It may be possible that after exiting lockdown mode the only permissions on the host will be those of users 'dcui' and 'vpxuser'. This will render the host unmanageable if it is not already managed by vCenter, or if the connection to vCenter is lost. To prevent this, the users in the "DCUI.Access" list will be assigned Admin roles.

    While the host is in lockdown mode, some operations will fail with SecurityError. This ensures that the conditions for lockdown mode cannot be changed. For example it is allowed to change the access mode only for users in the exceptions list.

    When the host is in lockdown mode, changing the running state of service DCUI through {@link vim.host.ServiceSystem} will also fail with SecurityError accompanied with an appropriate localizeable message. @since vSphere API 6.0

    Parameters

    NameTypeDescription
    arg0VcHostLockdownMode


    Return Value

    Type Description
    None