Host Access Manager Change Lockdown Mode

Host Access Manager Change Lockdown Mode

Changes the lockdown state of the ESXi host.

This operation will do nothing if the host is already in the desired lockdown state.

When the host is in lockdown mode it can be managed only through vCenter and through DCUI (Direct Console User Interface) if the DCUI service is running. This is achieved by removing all permissions on the host, except those of the exception users defined with UpdateLockdownExceptions.

In addition, the permissions for users 'dcui' and 'vpxuser' are always preserved.

When lockdown mode is disabled, the system will try to restore all permissions that have been removed when lockdown mode was enabled. It is possible that not all permissions may be restored and this is not an error, e.g. if in the meantime some user or managed object was deleted.

It may be possible that after exiting lockdown mode the only permissions on the host will be those of users 'dcui' and 'vpxuser'. This will render the host unmanageable if it is not already managed by vCenter, or if the connection to vCenter is lost. To prevent this, the users in the "DCUI.Access" list will be assigned Admin roles.

While the host is in lockdown mode, some operations will fail with SecurityError. This ensures that the conditions for lockdown mode cannot be changed. For example it is allowed to change the access mode only for users in the exceptions list.

When the host is in lockdown mode, changing the running state of service DCUI through HostServiceSystem will also fail with SecurityError accompanied with an appropriate localizeable message.

Required privileges: Host.Config.Settings

Request
URI
POST
https://{vcenter-host}/sdk/vim25/{release}/HostAccessManager/{moId}/ChangeLockdownMode
COPY
Path Parameters
string
moId
Required

The unique identifier for the managed object to which the method attaches; the serialized managed object reference for a request has the form moType/moId, in this case HostAccessManager/{moId}.

string
release
Required

The vSphere release schema. The current specification covers vSphere 8.0.2.0 APIs.


Request Body
ChangeLockdownModeRequestType of type(s) application/json
Required
{
    "mode": "string"
}
mode
Required

Defines the possible states of lockdown mode.

Possible values:

  • lockdownDisabled: Indicates that lockdown mode is disabled.

  • lockdownNormal: Indicates that lockdown mode is enabled with service DCUI (Direct Console User Interface) running.

  • lockdownStrict: Indicates that lockdown mode is enabled with service DCUI stopped.

    If the host is in "strict" lockdown mode then no one will be able to exit lockdown mode through DCUI in emergency situations, i.e. when the connection to vCenter server is permanently lost.

Possible values are : lockdownDisabled, lockdownNormal, lockdownStrict,
Authentication
This operation uses the following authentication methods.
Responses
204

No Content

Operation doesn't return any data structure

500

AuthMinimumAdminPermission: if the user invoking the operation is not in the exceptions list - see QueryLockdownExceptions.

NoPermission: if the current session does not have enough permissions to perform the operation.

Returns AuthMinimumAdminPermission of type(s) application/json
This response body class contains all of the following: VimFault
{
    "_typeName": "string",
    "faultCause": "MethodFault Object",
    "faultMessage": [
        {
            "_typeName": "string",
            "key": "string",
            "arg": [
                {
                    "_typeName": "string",
                    "key": "string",
                    "value": {
                        "_typeName": "string"
                    }
                }
            ],
            "message": "string"
        }
    ]
}