Host Access Manager Change Access Mode
Update the access mode for a user or group.
If the host is in lockdown mode, this operation is allowed only on users in the exceptions list - see QueryLockdownExceptions, and trying to change the access mode of other users or groups will fail with SecurityError.
Required privileges: Global.Settings
The unique identifier for the managed object to which the method attaches; the serialized managed object reference for a request has the form moType/moId
, in this case HostAccessManager/{moId}
.
The vSphere release schema. The current specification covers vSphere 8.0.3.0 APIs.
{
"principal": "string",
"isGroup": false,
"accessMode": "string"
}
The affected user or group.
True if principal refers to a group account, false otherwise.
Defines different access modes that a user may have on the host for direct host connections.
The assumption here is that when the host is managed by vCenter, we don't need fine-grained control on local user permissions like the interface provided by AuthorizationManager.
Possible values:
accessNone
: Indicates that the user has no explicitly defined permissions or roles.This is used when we want to remove all permissions for some user.
Note that this is not the same as accessNoAccess.
accessAdmin
: Describes a propagating Admin role on the root inventory object (root folder) on the host, and no other non-Admin role on any other object.The same permissions are needed to login to local or remote shell (ESXiShell or SSH).
accessNoAccess
: Describes a propagating NoAccess role on the root inventory object (root folder) on the host, and no other roles.Even if the user has another (redundant) NoAccess role on some other inventory object, then the access mode for this user will be classified as accessOther.
This mode may be used to restrict a specific user account without restricting the access mode for the group to which the user belongs.
accessReadOnly
: Describes a propagating ReadOnly role on the root inventory object (root folder) on the host, and no other roles.Even if the user has another (redundant) ReadOnly role on some other inventory object, then the access mode for this user will be accessOther.
accessOther
: Describes a combination of one or more roles/permissions which are none of the above.
No Content
AuthMinimumAdminPermission: if this change would render the ESXi host inaccessible for local non-system users. The API ChangeLockdownMode may be used instead.
InvalidArgument: if accessMode is not valid.
SecurityError: if the host is in lockdown mode and 'principal' is not in the exceptions list.
UserNotFound: if the specified user is not found.
{
"_typeName": "string",
"faultCause": "MethodFault Object",
"faultMessage": [
{
"_typeName": "string",
"key": "string",
"arg": [
{
"_typeName": "string",
"key": "string",
"value": {
"_typeName": "string"
}
}
],
"message": "string"
}
]
}