VMware Cloud Foundation Operations API Operations Index

Performing a GET /api/actiondefinitions call will query for
available Actions defined in the system. This includes the data needed
to populate an Action in the system.

Performing a POST /api/actions/{id} will attempt to trigger the
action with specified id. It is considered a best practice to use the actionExecution field from the
POST /api/action/{id}/query that has been previously executed to populate
the body of the request. Please note that additional values may be required in order to make
the populateAction response body valid.

The response contains information about the action status by the given taskId

Get Adapter Types identified by the specified identifiers or all if 'null' is specified

Get a specific Resource Kind supported by a specific Adapter Kind

Get details for resource identifiers, with provided adapter kind and resource kind.

Supports optional parameters to get specific Resource Type Properties

Optionally filter these resources based on resource name. The resource name (specified as a query parameter) will be used for doing a partial match. However, if the resource identifiers and their values are specified, name is ignored and the API enforces all the mandatory (both uniquely identifying and required) identifiers are specified. This allows for looking up a single resource using a ResourceKey and allows the translation between a ResourceKey and a Resource UUID.

Example how to use the identifiers parameter (currently it cannot be used in our Swagger documentation):
/api/adapterkinds/{adapterKindKey}/resourcekinds/{resourceKindKey}/resources?identifiers[key1]=value1&identifiers[key2]=value2

Supports optional parameters to get specific Resource Type Attributes

This API provides the Resources by passing specified Adapter Kind Key

This API provides the Adapter Kinds by passing specified identifier

Contains optional parameter that specifies whether there is a need to report names in all localizations

If Adapter Kind is passed as parameter, the API returns only the instances of that Adapter Kind

This is typically used to indicate VMware Cloud Foundation operations that the certificates presented by
the (data source for which the adapter instance) was created are indeed valid
certificates.
Typically the response of the POST /api/adapters API in its entirety needs to be
sent as request body when making this PATCH /api/adapters API invocation.
NOTE: In case the provided certificate list is empty, the adapter instance self-signed certificates will be reset.
NOTE: for VCF and vCenter cloud accounts please use /api/integrations/vcenters and /api/integrations/vcf APIs respectively

Pass the not-required parameters to indicate whether need to return default value or null in a result for identifiers that have no/null value in request body and continue instantiating adapter even if no connection is established.
In case of VCenter adapter instance, UI/license extension registration should be run separately.
NOTE: for VCF and vCenter cloud accounts please use /api/integrations/vcenters and /api/integrations/vcf APIs respectively

The request body can accept a collectorId or a collectorGroupId, but not both.
NOTE: for VCF and vCenter cloud accounts please use /api/integrations/vcenters and /api/integrations/vcf APIs respectively

This is typically used to indicate VMware Cloud Foundation operations that the certificates presented by
the (data source for which the adapter instance) was tested are indeed valid
certificates.
Typically the response of the POST /api/adapters API in its entirety needs to be
sent as request body when making this PATCH /api/adapters API invocation.
NOTE: for VCF and vCenter cloud accounts please use /api/integrations/vcenters/testConnection and /api/integrations/vcf/testConnection APIs respectively

Test Adapter Instance connection
NOTE: for VCF and vCenter cloud accounts please use /api/integrations/vcenters/testConnection and /api/integrations/vcf/testConnection APIs respectively

NOTE: Deleting an adapter instance is not synchronous. In case of VCenter adapter instance, UI/license extension un-registration should be run separately.

Returns a specific adapter instance identified by the specified UUID.

Removes the adapter instance from being in an maintenance window. The adapter instance will be notified to start collection process immediately.

After the duration expires, the adapter instance state is automatically set to STARTED.

Start the adapter instance from monitoring its resources

Stop the adapter instance from monitoring its resources

Get all resources that are managed by specific Adapter Instance

Get Notification Plugins, optionally filtered for a specific type

Patch a new Notification Plugin Instance

If the Notification plugin is a standard email plugin, then any untrusted certificates from the secure SMTP server
is returned as part of the response, the api client should invoke a PATCH call to store these certificates.
By default the notification plugin is in disabled state after being created.
Use the modifyAlertPluginState API to enable the plugin.

Before updating a notification plugin, the plugin should be disabled. During the update process
if there are any untrusted certificates returned by the server the patchAlertPlugin call should be made.
Once the update is successfully completed, use modifyAlertPluginState API to enable the plugin.

Get the available Notification Plugin Types

Get the Notification Plugin Type Metadata specified by Plugin Type ID

The field checkDependencies is added to preserve the initial behavior. By default it is set to false.

Case 1: When checkDependencies is false, the API has the following behavior:
Dependent Notification Rules are cascade deleted.
Dependent Report Schedules are unreferenced.
Dependent Tenant Email Configurations are always checked. If any then deletion is failed.

Case 2: When checkDependencies is true, the API has the following behavior:
All dependencies are checked. If any then deletion is failed.

To successfully delete the notification plugin, all conflicting dependencies must be removed.

Get Notification Plugin specified by Plugin ID

Start or stop an existing Notification Plugin Instance

Retrieve all the notification rules of the plugin instance

Test existing Notification Plugin Instance connectivity

If the search criteria is not satisfied, the API will return all Alert Definitions

Once the Alert Definition is created, a unique identifier will be generated by the system for the Alert Definition

Update an existing Alert Definition

Query collection of alert definitions matching the search criteria specified

Using this method, you can delete a particular alert definition

Using this method, you can look up details about a particular alert definition

Disable alert definition in policies

Enable alert definition in policies

Example: GET /api/alerts?id={id1}&id={id2}&resourceId={resId1}&resourceId={resId2}

Modify multiple Alerts by looking them up using their identifiers and performing one of the following actions - Suspend, Cancel,Take Ownership, Release Ownership
Examples:
POST /api/alerts?action=suspend&minutes=1
POST /api/alerts?action=cancel
POST /api/alerts?action=takeownership
POST /api/alerts?action=releaseownership
POST /api/alerts?action=assignownership

Example: DELETE /api/alerts/bulk

Get the list of triggered symptoms for the requested alerts
NOTE: This API only reports the symptoms that are defined on 'SELF'.

Example: POST /api/alerts/group/{groupingCondition}/query

Data returned includes a Collection of Alert Notes

Data returned includes a Collection of Alert Notes.
Example: POST /api/alerts/query

Examples:

GET /api/alerts/types returns the Problem Alerts specific Alert Types & Subtypes
GET /api/alerts/types?ignoreLegacy=false returns all the Alert Types & Subtypes

Example: GET /api/alerts/{id}

Data includes a Collection of Alert Notes
Example: GET /api/alerts/{id}/notes

Data returned is the Alert Note created in the system.
Example: POST /api/alerts/{id}/notes

Example: DELETE /api/alerts/{id}/notes/{noteId}

Example: GET /api/alerts/{id}/notes/{noteId}

Get all the created application monitoring configurations

Uninstall app monitoring agent from the specified resource

Install app monitoring agent on specified resource.
vCenters mapping should be present for this API to work.

Correct configuration for vCenters mapping -
vCenter is mapped to individual CP or CP part of non HA collector group.
vCenter is mapped to HA enabled collector group.

vCenters mapping APIs -
Create vCenters mappings API POST /api/applications/vccpmappings.
Delete vCenters mapping API DELETE /api/applications/vccpmappings.

Renew client certificate

Status of renew client certificate operations.

Save application service configuration on multiple resources.

The response contains information about the application action status by the given taskId.

Start agent on the specified resources

Stop agent on the specified resources

Upgrade app monitoring agent on the specified resources

Renew endPoint's certificate

Status of renew client certificate operation.

Remove application service configuration from the specified resource

Get all services on a specified resource

Save application service configuration on the specified resource

Update application service configuration on the specified resource

Get all configurations by service name on a specified resource

The response contains information about the bootstrap action status by the given taskId.

Query to sign the Arc Client certificate

Download Client Certificates

Get all available resources for application monitoring

Provides a template for the specified service

Bootstrap Bundle primarily contains client certificates, Grains File containing configuration of
ARC Agent Components (ucp-minion, salt-minion, Telegraf) and seeder script.
This API also presets salt minion keys in ARC.

Bootstrap Bundle primarily contains client certificates, Grains File containing configuration of
ARC Agent Components (ucp-minion, salt-minion, Telegraf) and seeder script.

Delete vCenters mapping info

Create mappings between collector or collectorGroup and vCenters

Get vCenter mappings based on the specified query

Add a vCenter for monitoring with specified application monitoring configuration

NOTE: Application Monitoring configuration will be deleted after removing last mapped vCenter from it.

Get system audit report

Using this method, one can look up the details of a user initiated this API method.


Note: The provided hrefs are functional for the users with 'administration.accesscontrol.viewpage' (View Access Control Page) privilege.

Note: The provided hrefs are functional for the users with 'administration.accesscontrol.viewpage' (View Access Control Page) privilege.

Note:The provided hrefs are functional for the users with 'administration.accesscontrol.viewpage' (View Access Control Page) privilege.

If no privilege key is set, all available Privilege Groups will be granted

If no privilege key is set, all available Privileges will be granted

Find list of application roles using the role names

Create a user role

Name of the role cannot be changed.

Remove role with given role name

Look up a role with the given name

Remove specified privileges from the user role

Get the privileges for a user role

New privileges union with any previous privileges.

Replaces any previous privileges.

Delete scopes.

Get all scopes available in the environment

Create a new Scope.

Modify a Scope

Get the scope by its id

Get all the available authentication sources in the system.
NOTE: This API works both for authenticated and un-authenticated access. In case of authenticated access (by providing the Authorization header) it will return more information including auth source properties. Please also note that while triggering the API through Swagger interface it will work in un-authenticated scenario (Swagger will not send the Authorization header).

Patch an already added authentication source with the certificate data

If the authentication source is of type LDAP or AD and if ssl is enabled, the response object will contain a list of certificates found matching with the provided host.If the authentication source is not of type LDAP or AD (or) if ssl is not enabled, then the authentication source is available for use as soon as the api call is successful.It is the duty of the caller to call the PATCH (/sources) api with the certificate details. Once the PATCH api call is successful, the authentication source is available for use.

If the host is an ldap host and if host/port is changed, then the response will contain a list of certificates found matching with the host. It is the duty of the caller to call the PATCH (/sources) api with the certificate details. Once the PATCH api call is successful, the authentication source is available for use.

Patch an already tested authentication source with the certificate data

Test a new or an existing authentication source in the system

Get VIDB well-known URL

The auth source can be SSO/VIDM/LDAP/AD.
For the LDAP/AD auth source, the request should contain the name of the group.
For the SSO/VIDM auth source, request should contain the name of the group and the SSO/VIDM domain.
User-group's name can contain wildcards. Maximum of 25 user-groups are returned for SSO auth source.

Synchronize user groups by specified Auth Source ID

Auth source can be SSO/VIDM/LDAP/AD/VIDB.
When a user is being re-imported, make sure to populate the "id" field of the user.
NOTE: In the case of vIDB users, the import occurs based on the provided externalId. If other provided details are incorrect, they will be asynchronously updated with the correct values right after the import operation is completed.

The auth source can be SSO/LDAP/AD/VIDM.
For the LDAP/AD auth source, the request should contain the name of the user.
For the SSO/VIDM auth source, request should contain the name of the user and the SSO/VIDM domain.
Username can contain wildcards. Maximum of 25 users are returned for SSO auth source.

During the deletion of the SSO SAML/VCF SSO auth source, the same 'username' and 'password' which has been used while the creating this sso auth source, should be sent to the payload object.
Note: Force flag is applicable only for VCF SSO auth source. If force is true, VMware Cloud Foundation Operations continues to attempt to delete the VCF SSO auth source even when errors occur.
If you set it to false, VMware Cloud Foundation Operations stops attempting to removethe auth source if VCF SSO server fails

The auth source can be SSO/LDAP/AD.
For the LDAP/AD auth source, the request should contain the name of the user.
For the SSO auth source, request should contain the name of the user and the sso domain.
User-group's username can contain wildcards. Maximum of 25 user-groups are returned for SSO auth source.

Get all the available authentication source types

Retrieve information about a particular authentication source type

Performing a POST /api/auth/token/acquire would yield a response object that includes token and its validity.
HTTP Status 401 will be sent back if the authentication operation has failed.
NOTE: The validity of the acquired token is extended after each call and is set to 6 hours from the last call.

Exchange current user token with jwt token

Terminate the current Session ID

If no optional parameters passed, the API will return all traversal specification templates in the system

Delete a list of user groups using their identifiers

If none of the parameters are specified, all the user groups in the system are returned.

If the authSourceId is specified(in the request), then the user group will be imported from the corresponding auth source (LDAP/AD/SSO/VIDM/VIDB).Note that the id of the user group has to be null.
For LDAP/AD groups the distinguishedName should be provided in the name field.
The value of displayName is used only while importing LDAP/AD groups, and if it is not provided then the value of name will be assigned to it. For SSO/VIDM groups the value of name is assigned to displayName.
NOTE: Before importing please make sure that the group exists in the specified authSource by using the following API - /api/auth/sources/{id}/usergroups/search . Otherwise, if you try to import a non-existing group, a new one will be created with the specified authSourceId.
NOTE: In the case of vIDB user group, the import occurs based on the provided externalId. If other provided details are incorrect, they will be asynchronously updated with the correct values right after the import operation is completed.

You can add or remove users from the group. Name and id of the group cannot be changed.

Get assigned role permissions for the specified user group

Replaces existing role permission entirety if it exists already for the named role.

Unassign role permission from a user group

Traversal specifications assigned through this API will add the specified traversal specification to a role permission for the ReadOnly role. It will also update the user's existing role permissions with this traversal specification.
This API is replaced by the assignRolePermissionToUser and unassignRolePermissionFromUser APIs which are PUT and DELETE operations respectively at the /auth/usergroups/{groupId}/permissions endpoint.Note: mixing current and deprecated APIs is not recommended and may result in undefined behavior.

Delete a local user group

Look up a local user group using its identifier

If the user which is being deleted is an SSO/LDAP/AD user, then it gets deleted(removed) from VMware Cloud Foundation Operations ONLY and does not get actually deleted.

If both ids and roleNames are not specified, information about all the local users are being returned.

Create a new user

Modify the details of a particular user

Change the password of the active user

If the user being deleted is an SSO/LDAP/AD user, the user gets deleted(removed) from VMware Cloud Foundation Operations ONLY and does not get actually deleted.

Using this method, you can look up details about a particular local user

Get assigned role permissions for a specified user

Replaces the existing role permission entirety if it exists already for the named role.

Unassign role permission from a user

Traversal specifications assigned through this API will add the specified traversal specification to a role permission for the ReadOnly role. It will also update the user's existing role permissions with this traversal specification.
This API is replaced by the assignRolePermissionToUser and unassignRolePermissionFromUser APIs which are PUT and DELETE operations respectively at the /auth/usergroups/{groupId}/permissions endpoint.Note: mixing current and deprecated APIs is not recommended and may result in undefined behavior.

Delete a certificate

Get all certificates

Import the given certificate file.

Get all the Collector Groups defined in the system

Create a new Collector Group in the system

This Replaces all existing configuration of a Collector Group
with the data specified as part of the Request.

Delete a Collector Group from the system using collector specified identifier

Get details of a particular Collector Group in the system

Renew Collector Group CA Certificate. Note : Communication between Endpoint - Cloud Proxy will be broken post Renewal of CA Certificate. Will attempt to renew Client Certificate on Endpoint

Status of Collector Group CA Certificate renewal action.

Remove a Collector from the specified Collector Group

Add a Collector to the specified Collector Group

If no filters set, the API returns all the Collectors registered with the VMware Cloud Foundation Operations system

Get all the Collectors registered with the VMware Cloud Foundation Operations system

Renew Cloud Proxy CA Certificate. Note : Communication between Endpoint - Cloud Proxy will be broken post Renewal of CA Certificate. Will attempt to renew Client Certificate on Endpoint.

Status of Collector CA Certificate renewal Operation.

Using this method, you can disable data persistence on cloud proxy.

Using this method, you can enable data persistence on cloud proxy.

Get VVF certificates for a service

Replace the certificate of the given ingress component

Get all Certificate Signing Requests (CSRs) for a service

Generate a Certificate Signing Request (CSR) for a service

get the list of accounts

Update the password for a system account

Get the status of a task

Get details of the specified configuration file.

Backup content for current user

Download backup for current user

The response contains information about the last export operation details

Export content for current user. This takes scope of the export. The content types that need to be exported can be specified as a list.

Downloads the content data as a file.

The response contains information about the last import operation details

The "Content-Type" of the request is multipart/form-data. If the force option is set to true, content will be overwritten. By default the flag is true.
NOTE: If the content file contains integration accounts, then upon completion of the import process, it is recommended to check them. Some collectors or collector groups may have become unbound from the accounts they serve and should be reconnected. Additionally, you will need to re-accept all untrusted certificates manually. Finally ensure that all your adapter instances are started as some of these may not have been restarted automatically.

Get content progress

The "Content-Type" of the request is multipart/form-data.

Get restore data report for current user

Get details of currently selected currency such as display name, code, etc.

Set currency

Gets all the Credential Kinds defined in the system. Optionally filter by adapter kind keys.

Gets all the Credential Instances in the system. Optionally filter by adapter kind keys or credential instance identifiers.

Partial update an existing Credential Instance

Create a new Credential Instance

Update an existing Credential Instance

Delete a Credential Instance using the identifier specified. Requires the authenticated user to have correct privilege.

Get a Credential Instance using the identifier specified

Gets the Adapter Instances using the Credential Instance specified by the identifier.

Gets the Objects using the Credential Instance specified by the identifier.

Currently one can Start or Stop a DT Run.
Sample URI:
PUT /api/deployment/cluster/dt?action=start
PUT /api/deployment/cluster/dt?action=stop

The deprecation info and all key-name mappings can be found in the /api/deployment/config/globalsettings/metadata API's description.

Find all the name-key mappings here:

Action History - ACTION_RETENTION_IN_DAYS,
Deleted Objects - DELETED_OBJECTS_RETENTION_IN_HOURS,
Deletion Scheduling Interval - DELETION_SCHEDULING_INTERVAL_IN_HOURS,
Object History - OBJECT_HISTORY_RETENTION_IN_DAYS,
Generated Reports Retention - GENERATED_REPORTS_RETENTION_TIME_IN_MONTHS,
Session Timeout - SESSION_TIMEOUT_IN_MINUTES,
Symptoms/Alerts - CANCELLED_ALERTS_SYMPTOMS_RETENTION_TIME_IN_DAYS,
Time Series Data Retention - TIME_SERIES_DATA_RETENTION_IN_MONTHS,
Additional Time Series Retention - ROLLUP_TIME_SERIES_DATA_RETENTION_IN_MONTHS,
Deleted Users - DELETED_USERS_RETENTION_IN_DAYS,
External Event Based Active Symptoms - OUTDATED_EVENT_BASED_SYMPTOMS_CANCELING_ENABLED,
External Event Based Active Symptoms - ACTIVE_EVENT_BASED_SYMPTOMS_RETENTION_TIME_IN_DAYS,
Dynamic Threshold Calculation - DYNAMIC_THRESHOLDING_UPDATE_TIME_IN_MINUTES,
Cost Calculation - COST_CALCULATION_TIME_IN_MINUTES,
Deprecated from VMware Aria Operations 8.14: Customer Experience Improvement Program - TELEMETRY_ENABLED,
Allow vCenter users to log into VMware Cloud Foundation Operations from vCenter clients - VC_USER_LOGIN_FROM_VC_WEBUI_ALLOWED,
System access URL - BASE_URL,
Automated Actions - AUTOMATED_ACTIONS_ENABLED,
Enable Standard Certification Validation - ENABLE_CERTIFICATE_VALIDATION_STANDARD_WAY,
Concurrent UI login sessions - ALLOW_CONCURRENT_LOGIN_SESSIONS,
Allow non-imported vIDM user access - ALLOW_NON_IMPORTED_VIDM_USERS_ACCESS,
Dynamic Threshold Calculation - DYNAMIC_THRESHOLDING_ENABLED,
Cost Calculation - COST_CALCULATION_ENABLED,
Deleted Objects - DELETED_OBJECTS_RETENTION_IN_HOURS_EXPANSION,
Generated Reports Retention - GENERATED_REPORTS_RETENTION_ENABLED,
Docker image default registry URL - DOCKER_IMAGE_REGISTRY_URL,
Tag Based Pricing Metrics - PRICING_TAG_DETAILED_METRICS,
Tag based Costing Metrics - COSTING_TAG_DETAILED_METRICS,
Cluster Utilization Ceiling Factor - CLUSTER_UTILIZATION_ROUND_OFF,
Generated Reports Retention - GENERATED_REPORTS_RETENTION_TIME_IN_DAYS,
Threshold For Adapters Certificate Expiration Alert - CERTIFICATE_ALARM_DAYS,
Show Cost Savings - SHOW_COST_SAVINGS_RECLAMATION_SETTING,
Include Powered off VMs for Reclamation (flag) - RECLAIM_POWERED_OFF_VMS_ENABLED,
Include Powered off VMs for Reclamation (days) - RECLAIM_POWERED_OFF_VMS_DAYS,
Include Idle VMs for Reclamation - RECLAIM_IDLE_VMS_ENABLED,
Minimum number of days that VM has been idle for - RECLAIM_IDLE_VMS_DAYS,
Exclude VM provisioned in last - EXCLUDE_IDLE_VMS_PROVISIONED_IN_LAST_DAYS,
VM Idleness Criteria (MHz) - IDLENESS_INDICATOR_THRESHOLD_MHZ,
VM Idleness Criteria (%) - IDLENESS_INDICATOR_THRESHOLD_PERCENT,
Include Snapshots for Reclamation (flag) - RECLAIM_SNAPSHOTS_ENABLED,
Include Snapshots for Reclamation (days) - RECLAIM_SNAPSHOTS_DAYS,
Include Orphaned Disks for Reclamation (flag) - RECLAIM_ORPHANED_DISKS_ENABLED,
Include Orphaned Disks for Reclamation (days) - RECLAIM_ORPHANED_DISKS_DAYS,
Orphaned Disks Collection Time - ORPHANED_VMDK_COLLECTION_TIME_IN_MINUTES,
Generated Tenant Reports Retention (flag) - GENERATED_TENANT_REPORTS_RETENTION_ENABLED,
Generated Tenant Reports Retention (days) - GENERATED_TENANT_REPORTS_RETENTION_TIME_IN_DAYS,
Credential Ownership Enforcement - ACTIVATE_CREDENTIAL_OWNERSHIP.

The deprecation info and all key-name mappings can be found in the /api/deployment/config/globalsettings/metadata API's description.

The deprecation info and all key-name mappings can be found in the /api/deployment/config/globalsettings/metadata API's description.

The information returned includes the Health of the Service, uptime, when the service was started and etc.
Specifically the Health of the Service is 'OK', when the Service is running and responsive, otherwise it is 'Error'.

The information returned includes the Health of the Service, uptime, start time of the service and etc.
Specifically the Health of the Service is 'OK', when the Service is running and responsive, otherwise it is 'Error'.

The status is ONLINE, if all the services are running and responsive, else status is OFFLINE.

Push a single Event into the system

If the adapter kind specified is not present in the system, it will be created dynamically. However,
if the adapter kind specified does already exist, then it must be of OPENAPI adapter kind type.
Also the API sanitizes the Push Adapter Kind key by removing invalid characters (e.g.: Embedded HTML & JS)

Push one or more Events into the system

If the adapter kind specified is not present in the system, it will be created dynamically. However,
if the adapter kind specified does already exist, then it must be of OPENAPI adapter kind type.
Also the API sanitizes the Push Adapter Kind key by removing invalid characters (e.g.: Embedded HTML & JS)

If no filters are set, the API returns all the findings in the system

If no filters are set, the API returns all the affected objects for the rule in the system

This API will be invoked by VCF UI to show Configured CA

This API will be invoked by UI to update /save the CA configurations

Get paginated list of certificates based on query parameters

Get certificate info for the given Certificate Id

Replace the certificate of the given appliance

Return list of Certificate CSRs.

Generate Certificate Signing Request (CSR) for the given VCF component

Get paginated list of password accounts based on query parameters

Update the password for given account

Retrieves a list of all VCF components (vCenter) that are eligible for custom role provisioning. Use this API to discover available components in your environment where you can create and apply custom roles for fine-grained access control.

Delete Iam Component Auth Source by either VCF Component ID or Component Type. Exactly one parameter (componentId or componentType) must be provided.

Creates Iam Component Auth Source. Can be based on a VCF Component or a Management Component type.

Fetch Iam Component Auth Source. If no filterType and filterValue provided, returns all. If provided, fetch by filterType (VCF_COMPONENT, MANAGEMENT_COMPONENT, or VCF_INSTANCE) and corresponding filterValue. filterValue must be a valid UUID for VCF_COMPONENT and VCF_INSTANCE, or a valid ComponentType enum value for MANAGEMENT_COMPONENT.

Retrieves a list of all custom component roles that have been created and provisioned across VCF components. This API supports filtering by component role name and component type to find specific custom roles. Use this endpoint to view all custom roles and their provisioning status across your VCF environment.

Creates new custom component roles and provisions them to specified target components.The operation is asynchronous and returns a task ID to track the provisioning progress.

Updates an existing custom component role definition. The operation is asynchronous and returns a task ID.

Retrieves a list of available component roles for VCF components with optional filtering by component type. This API returns the built-in/custom roles available for each VCF component (vCenter, NSX Manager, VCF Operations, etc.) that can be used when creating custom VCF roles.

This operation will remove the role definition from VCF Operations. The role will not be de-provisioned from the components

Retrieves detailed information about a specific custom component role including its definition, permissions, and current provisioning status across all target components. This API provides comprehensive details needed to understand and manage a custom role.

Initiates a drift detection check for a custom role on specified target components. Drift detection identifies differences between the intended role definition in VCF Operations and the actual role configuration on target components (vCenter, NSX Manager, etc.). Use this to ensure roles are properly synchronized across your environment.

Retries provisioning of a custom role on specified target components where previous provisioning attempts failed. Use this API to remediate failed provisioning operations without having to recreate or modify the role definition. The operation is asynchronous and returns a task ID to track retry progress.

Retrieves the current custom role definitions from a specific component (vCenter). This API returns all custom roles that have been provisioned to the specified component

Creates a new Identity Provider configuration supporting OIDC, SAML, or LDAP BIND protocols. Supports JIT, SCIM, or LDAP provisioning types.

Updates an existing Identity Provider configuration. All configuration fields can be modified.

Deletes an Identity Provider configuration. If force is true, also removes associated components.

Retrieves the complete Identity Provider configuration details by IDP configuration ID.

Retrieves basic information about the OAuth2 SCIM sync client configured for the specified directory.

Creates a new OAuth2 SCIM sync client for the specified directory. Optionally generates a bearer access token with configurable TTL (default 6 months).

Retrieves all LDAP directory information objects associated with the specified Identity Provider.

Performs a search query to find groups in the specified LDAP directory based on search criteria.

Initiates a manual LDAP synchronization operation for the specified identity provider and directory.

Retrieves paginated list of LDAP synchronization execution logs. Can fetch all logs or only the last sync log using the 'last' parameter.

Retrieves detailed information about a specific LDAP synchronization execution by sync log ID.

Retrieves the LDAP synchronization profile configuration for a specific directory.

Updates the LDAP synchronization profile configuration for a specific directory.

Performs a search query to find users in the specified LDAP directory based on search criteria.

Retrieves a Paginated list of VCF roles with optional filtering by role typeThis API supports filtering to find specific roles based on type criteria or returns both built-in and custom roles.

Creates a new custom VCF role with specified component roles and permissions. Custom roles allow fine-grained access control by combining component-specific roles from different VCF components. The role name must be unique and will be validated for conflicts with existing roles.

Updates an existing custom VCF role definition with new component roles and permissions. This operation allows modification of role assignments, descriptions, and component role mappings. Built-in roles cannot be updated, only custom roles are supported for updates.

Permanently deletes a custom VCF role definition from the system. Built-in roles cannot be deleted. Before deletion, ensure that no users, groups or api-clients are assigned to this role. This operation cannot be undone

Retrieves the complete definition of a specific VCF role including its component roles

Validates SAML metadata provided as XML content or URL. Returns validation results and parsed metadata information.

Retrieves the current IAM Global Settings configuration including API token TTL, access token TTL, and API token retention period. These settings control the lifetime and retention policies for authentication tokens used in the VCF

Updates the IAM Global Settings configuration including API token TTL, access token TTL, and API token retention period. These settings control the lifetime and retention policies for authentication tokens used in the VCF.

Retrieves a summary list of all configured SSO Realms in the system.

Creates a new SSO Realm configuration for identity management.

Deletes an SSO Realm configuration.

Retrieves complete SSO Realm configuration details by SSO Realm identifier.

Updates specific fields of an API Client.

Creates a new API Client in the specified SSO Realm for API access.

Queries API Clients in an SSO Realm with search filters and pagination support. Results can be sorted by expiration date, creation date, last used date, or access token TTL.

Deletes an API Client and all associated tokens from the SSO Realm.

Retrieves complete details of a specific API Client by client ID.

Updates specific fields of an API Token configuration.

Generates a new API Token for an existing API Client. Returns the token with its secret value (displayed only once).

Queries API Tokens in an SSO Realm with search filters and pagination support. Results can be sorted by expiration date, creation date, last used date, or access token TTL.

Deletes a specific API Token from the SSO Realm by token ID.

Retrieves complete details of a specific API Token by token ID.

Regenerates the secret value for an existing API Token. The new secret is returned and should be stored securely.

Retrieves a list of all Emergency Clients configured in the specified SSO Realm.

Creates an Emergency Client with an automatically generated token. Emergency clients are used for critical access scenarios.

Deletes an Emergency Client and its associated token from the SSO Realm.

Retrieves complete details of a specific Emergency Client by client ID.

Regenerates the token secret for an existing Emergency Client. The new secret is returned and should be stored securely.

Retrieves a paginated list of provisioned groups in an SSO Realm. Supports filtering, sorting, and pagination parameters.

Retrieves a paginated list of user members belonging to a specific group. Supports filtering, sorting, and pagination parameters.

Retrieves a list of all OAuth App instances explicitly created for external integrations in the specified SSO Realm.System-generated OAuth Apps used for internal authentication source configurations are excluded.

Creates a new OAuth App instance in the specified SSO Realm for OAuth-based authentication. This is needed for external integrations in the SSO Realm

Updates an OAuth App configuration.

Deletes an OAuth App instance from the SSO Realm by OAuth App ID.

Retrieves complete details of a specific OAuth App by OAuth App ID.

Rotates the client secret for an OAuth App. The new secret is generated and returned in the response.

Removes all role assignments from a user or group or api client.

Retrieves all existing role assignments for a user or group or api client.

Replaces all existing role assignments for a user or group or api client with the new set of role assignments provided in the request.

Retrieves a paginated list of provisioned users in an SSO Realm. Supports filtering, sorting, and pagination parameters.

Retrieves IAM task details by taskId received after initiating any task such as DELETE SSO Realm or IDP

Retrieves list of identity broker instances available for Identity Provider configuration. Can be filtered by VCF Instance ID and deployment type.

Updates metadata for an identity broker resource, such as display name or other descriptive information.

Get registered services details

Instances are generated for not just the vCenter adapter but also for vSAN and Service Discovery adapters. If configurations for vSAN or Service Discovery are not provided, the corresponding adapters will not be created.
NOTE: while providing any certificate via this API, certificateDetails field must be populated.

Instances are updated for not just the vCenter integration but also for vSAN and Service Discovery adapters. If configurations for vSAN or Service Discovery are not provided, the corresponding adapters will not be updated.
NOTE: while providing any certificate via this API, certificateDetails field must be populated.

In case if certificate is needed, will return untrusted certificate for acceptance in response.
NOTE: while providing any certificate via this API, certificateDetails field must be populated.

NOTE: Deletion is not synchronous. As a result, the delete operation may not happen immediately. It is recommended to query back the system with the identifier and ensure that the system returns a 404 error.

Get vCenter integration, with vSAN and Service Discovery configs

If force parameter is passed as true, in case if vc is already registered, registration will be overwritten.

Unregister vc with provided credentials, and id

vCenter,vSAN and NSXT adapter instances will be generated, upon VCF integration creation, but service discovery is still needed to be enabled manually.
NOTE: If NSX cloud account creation fails due to service account credential creation failure, no error will be thrown. Verify the NSX cloud account after VCF integration creation.
NOTE: while providing any certificate via this API, certificateDetails field must be populated.

NOTE: while providing any certificate via this API, certificateDetails field must be populated.

In case if certificate is needed, will return untrusted certificate for acceptance in response.
NOTE: while providing any certificate via this API, certificateDetails field must be populated.

NOTE: Deletion is not synchronous. As a result, the delete operation may not happen immediately. It is recommended to query back the system with the identifier and ensure that the system returns a 404 error.

Get VCF integration, by specified id

Get all VCF domains summary for VCF by provided id

NOTE: Deletion is not synchronous. As a result, the delete operation may not happen immediately. It is recommended to query back the system with the identifier and ensure that the system returns a 404 error.

Get VCF domain by provided VCF and domain ids

NOTE: This operation will only work for configured domains.
NOTE: while providing any certificate via this API, certificateDetails field must be populated.

NOTE: This operation will only work for configured domains.
NOTE: while providing any certificate via this API, certificateDetails field must be populated.

If force parameter is passed as true, in case if vcf is already registered, registration will be overwritten.

NOTE: The registration of some of the VCs under the VCF may fail because of different issues, e.g. connection issue. In such cases response will be returned with http 200 status code, however the failed resources id's will be reported in the response body. Please check the status field of the response after executing this API, in order to make sure that the operation has fully succeeded.