Authorization Manager APIs

This managed object provides operations to query and update roles and permissions.

Privileges are the basic individual rights required to perform operations. They are statically defined and never change for a single version of a product. Examples of privileges are "Power on a virtual machine" or "Configure a host."

Roles are aggregations of privileges, used for convenience. For user-defined roles, the system-defined privileges, "System.Anonymous", "System.View", and "System.Read" are always present.

Permissions are the actual access-control rules. A permission is defined on a ManagedEntity and specifies the user or group ("principal") to which the rule applies. The role specifies the privileges to apply, and the propagate flag specifies whether or not the rule applies to sub-objects of the managed entity.

A ManagedEntity may have multiple permissions, but may have only one permission per user or group. If, when logging in, a user has both a user permission and a group permission (as a group member) for the same entity, then the user-specific permission takes precedent. If there is no user-specific permission, but two or more group permissions are present, and the user is a member of the groups, then the privileges are the union of the specified roles.

Managed entities may be collected together into a "complex entity" for the purpose of applying permissions consistently. Complex entities may have a Datacenter, ComputeResource, or ClusterComputeResource as a parent, with other child managed objects as additional parts of the complex entity:

• A Datacenter's child objects are the root virtual machine and host Folders.
• A ComputeResource's child objects are the root ResourcePool and HostSystem.
• A ClusterComputeResource has only the root ResourcePool as a child object.

Child objects in a complex entity are forced to inherit permissions from the parent object. When query operations are used to discover permissions on child objects of complex entities, different results may be returned for the owner of the permission. In some cases, the child object of the complex entity is returned as the object that defines the permission, and in other cases, the parent from which the permission is propagated is returned as the object that defines the permission. In both cases, the information about the owner of the permission is correct, since the entities within a complex entity are considered equivalent. Permissions defined on complex entities are always applicable on the child entities, regardless of the propagation flag, but may only be defined or modified on the parent object.

In a group of fault-tolerance (FT) protected VirtualMachines, the secondary VirtualMachines are forced to inherit permissions from the primary VirtualMachine. Queries to discover permissions on FT secondary VMs always return the primary VM as the object that defines the permissions. Permissions defined on an FT primary VM are always applicable on its secondary VMs, but can only be defined or modified on the primary VM.