Authorization Manager APIs

Authorization Manager APIs

This managed object provides operations to query and update roles and permissions.

Privileges are the basic individual rights required to perform operations. They are statically defined and never change for a single version of a product. Examples of privileges are "Power on a virtual machine" or "Configure a host."

Roles are aggregations of privileges, used for convenience. For user-defined roles, the system-defined privileges, "System.Anonymous", "System.View", and "System.Read" are always present.

Permissions are the actual access-control rules. A permission is defined on a ManagedEntity and specifies the user or group ("principal") to which the rule applies. The role specifies the privileges to apply, and the propagate flag specifies whether or not the rule applies to sub-objects of the managed entity.

A ManagedEntity may have multiple permissions, but may have only one permission per user or group. If, when logging in, a user has both a user permission and a group permission (as a group member) for the same entity, then the user-specific permission takes precedent. If there is no user-specific permission, but two or more group permissions are present, and the user is a member of the groups, then the privileges are the union of the specified roles.

Managed entities may be collected together into a "complex entity" for the purpose of applying permissions consistently. Complex entities may have a Datacenter, ComputeResource, or ClusterComputeResource as a parent, with other child managed objects as additional parts of the complex entity:

  • A Datacenter's child objects are the root virtual machine and host Folders.
  • A ComputeResource's child objects are the root ResourcePool and HostSystem.
  • A ClusterComputeResource has only the root ResourcePool as a child object.

Child objects in a complex entity are forced to inherit permissions from the parent object. When query operations are used to discover permissions on child objects of complex entities, different results may be returned for the owner of the permission. In some cases, the child object of the complex entity is returned as the object that defines the permission, and in other cases, the parent from which the permission is propagated is returned as the object that defines the permission. In both cases, the information about the owner of the permission is correct, since the entities within a complex entity are considered equivalent. Permissions defined on complex entities are always applicable on the child entities, regardless of the propagation flag, but may only be defined or modified on the parent object.

In a group of fault-tolerance (FT) protected VirtualMachines, the secondary VirtualMachines are forced to inherit permissions from the primary VirtualMachine. Queries to discover permissions on FT secondary VMs always return the primary VM as the object that defines the permissions. Permissions defined on an FT primary VM are always applicable on its secondary VMs, but can only be defined or modified on the primary VM.

Operations
POST
Authorization Manager Add Authorization Role
Adds a new role.
POST
Authorization Manager Fetch User Privilege On Entities
Get the list of effective privileges for a user, either granted explicitly, or through group membership.
GET
Authorization Manager Get Description
Static, descriptive strings for system roles and privileges.
GET
Authorization Manager Get Privilege List
The list of system-defined privileges.
GET
Authorization Manager Get Role List
The currently defined roles in the system, including static system-defined roles.
POST
Authorization Manager Has Privilege On Entities
Check whether a session holds a set of privileges on a set of managed entities.
POST
Authorization Manager Has Privilege On Entity
Check whether a session holds a set of privileges on a managed entity.
POST
Authorization Manager Has User Privilege On Entities
Checks if a user holds a certain set of privileges on a number of managed entities.
POST
Authorization Manager Merge Permissions
Reassigns all permissions of a role to another role.
POST
Authorization Manager Remove Authorization Role
Removes a role.
POST
Authorization Manager Remove Entity Permission
Removes a permission rule from an entity.
POST
Authorization Manager Reset Entity Permissions
Update the entire set of permissions defined on an entity.
POST
Authorization Manager Retrieve All Permissions
Finds all permissions defined in the system.
POST
Authorization Manager Retrieve Entity Permissions
Gets permissions defined on or effective on a managed entity.
POST
Authorization Manager Retrieve Role Permissions
Finds all the permissions that use a particular role.
POST
Authorization Manager Set Entity Permissions
Defines one or more permission rules on an entity or updates rules if already present for the given user or group on the entity.
POST
Authorization Manager Update Authorization Role
Updates a role's name or privileges.