Host Access Manager Change Access Mode

Host Access Manager Change Access Mode

Update the access mode for a user or group.

If the host is in lockdown mode, this operation is allowed only on users in the exceptions list - see QueryLockdownExceptions, and trying to change the access mode of other users or groups will fail with SecurityError.

Required privileges: Global.Settings

Request
URI
POST
https://{vcenter-host}/sdk/vim25/{release}/HostAccessManager/{moId}/ChangeAccessMode
COPY
Path Parameters
string
moId
Required

The unique identifier for the managed object to which the method attaches; the serialized managed object reference for a request has the form moType/moId, in this case HostAccessManager/{moId}.

string
release
Required

The vSphere release schema. The current specification covers vSphere 8.0.3.0 APIs.


Request Body
ChangeAccessModeRequestType of type(s) application/json
Required
{
    "principal": "string",
    "isGroup": false,
    "accessMode": "string"
}
string
principal
Required

The affected user or group.

boolean
isGroup
Required

True if principal refers to a group account, false otherwise.

accessMode
Required

Defines different access modes that a user may have on the host for direct host connections.

The assumption here is that when the host is managed by vCenter, we don't need fine-grained control on local user permissions like the interface provided by AuthorizationManager.

Possible values:

  • accessNone: Indicates that the user has no explicitly defined permissions or roles.

    This is used when we want to remove all permissions for some user.

    Note that this is not the same as accessNoAccess.

  • accessAdmin: Describes a propagating Admin role on the root inventory object (root folder) on the host, and no other non-Admin role on any other object.

    The same permissions are needed to login to local or remote shell (ESXiShell or SSH).

  • accessNoAccess: Describes a propagating NoAccess role on the root inventory object (root folder) on the host, and no other roles.

    Even if the user has another (redundant) NoAccess role on some other inventory object, then the access mode for this user will be classified as accessOther.

    This mode may be used to restrict a specific user account without restricting the access mode for the group to which the user belongs.

  • accessReadOnly: Describes a propagating ReadOnly role on the root inventory object (root folder) on the host, and no other roles.

    Even if the user has another (redundant) ReadOnly role on some other inventory object, then the access mode for this user will be accessOther.

  • accessOther: Describes a combination of one or more roles/permissions which are none of the above.

Possible values are : accessNone, accessAdmin, accessNoAccess, accessReadOnly, accessOther,
Authentication
This operation uses the following authentication methods.
Responses
204

No Content

Operation doesn't return any data structure

500

AuthMinimumAdminPermission: if this change would render the ESXi host inaccessible for local non-system users. The API ChangeLockdownMode may be used instead.

InvalidArgument: if accessMode is not valid.

SecurityError: if the host is in lockdown mode and 'principal' is not in the exceptions list.

UserNotFound: if the specified user is not found.

Returns VimFault of type(s) application/json
This response body class contains all of the following: MethodFault
{
    "_typeName": "string",
    "faultCause": "MethodFault Object",
    "faultMessage": [
        {
            "_typeName": "string",
            "key": "string",
            "arg": [
                {
                    "_typeName": "string",
                    "key": "string",
                    "value": {
                        "_typeName": "string"
                    }
                }
            ],
            "message": "string"
        }
    ]
}