Host Access Manager Change Lockdown Mode

Changes the lockdown state of the ESXi host.

This operation will do nothing if the host is already in the desired lockdown state.

When the host is in lockdown mode it can be managed only through vCenter and through DCUI (Direct Console User Interface) if the DCUI service is running. This is achieved by removing all permissions on the host, except those of the exception users defined with UpdateLockdownExceptions.

In addition, the permissions for users 'dcui' and 'vpxuser' are always preserved.

When lockdown mode is disabled, the system will try to restore all permissions that have been removed when lockdown mode was enabled. It is possible that not all permissions may be restored and this is not an error, e.g. if in the meantime some user or managed object was deleted.

It may be possible that after exiting lockdown mode the only permissions on the host will be those of users 'dcui' and 'vpxuser'. This will render the host unmanageable if it is not already managed by vCenter, or if the connection to vCenter is lost. To prevent this, the users in the "DCUI.Access" list will be assigned Admin roles.

While the host is in lockdown mode, some operations will fail with SecurityError. This ensures that the conditions for lockdown mode cannot be changed. For example it is allowed to change the access mode only for users in the exceptions list.

When the host is in lockdown mode, changing the running state of service DCUI through HostServiceSystem will also fail with SecurityError accompanied with an appropriate localizeable message.

Required privileges: Host.Config.Settings

Request

URI

POST

https://{vcenter-host}/sdk/vim25/{release}/HostAccessManager/{moId}/ChangeLockdownMode

COPY

Path Parameters

string

moId

Required

The unique identifier for the managed object to which the method attaches; the serialized managed object reference for a request has the form moType/moId, in this case HostAccessManager/{moId}.

string

release

Required

The vSphere release schema. The current specification covers vSphere 8.0.2.0 APIs.

Request Body

ChangeLockdownModeRequestType of type(s) application/json

Required

{
    "mode": "string"
}

HostLockdownMode_enum

mode

Required

Defines the possible states of lockdown mode.

Possible values:

lockdownDisabled: Indicates that lockdown mode is disabled.
lockdownNormal: Indicates that lockdown mode is enabled with service DCUI (Direct Console User Interface) running.
lockdownStrict: Indicates that lockdown mode is enabled with service DCUI stopped.

If the host is in "strict" lockdown mode then no one will be able to exit lockdown mode through DCUI in emergency situations, i.e. when the connection to vCenter server is permanently lost.

Possible values are : lockdownDisabled, lockdownNormal, lockdownStrict,

Authentication

This operation uses the following authentication methods.

Session

Responses

204

No Content

Operation doesn't return any data structure

500

AuthMinimumAdminPermission: if the user invoking the operation is not in the exceptions list - see QueryLockdownExceptions.

NoPermission: if the current session does not have enough permissions to perform the operation.

Returns AuthMinimumAdminPermission of type(s) application/json

This response body class contains all of the following: VimFault

{
    "_typeName": "string",
    "faultCause": "MethodFault Object",
    "faultMessage": [
        {
            "_typeName": "string",
            "key": "string",
            "arg": [
                {
                    "_typeName": "string",
                    "key": "string",
                    "value": {
                        "_typeName": "string"
                    }
                }
            ],
            "message": "string"
        }
    ]
}

On This Page

Description

Request

Path Parameters

Request Body

Authentication

Response

204 Response Body

Errors

Host Access Manager Operations

POST

Host Access Manager Change Access Mode