Host Access Manager Change Lockdown Mode
Changes the lockdown state of the ESXi host.
This operation will do nothing if the host is already in the desired lockdown state.
When the host is in lockdown mode it can be managed only through vCenter and through DCUI (Direct Console User Interface) if the DCUI service is running. This is achieved by removing all permissions on the host, except those of the exception users defined with UpdateLockdownExceptions.
In addition, the permissions for users 'dcui' and 'vpxuser' are always preserved.
When lockdown mode is disabled, the system will try to restore all permissions that have been removed when lockdown mode was enabled. It is possible that not all permissions may be restored and this is not an error, e.g. if in the meantime some user or managed object was deleted.
It may be possible that after exiting lockdown mode the only permissions on the host will be those of users 'dcui' and 'vpxuser'. This will render the host unmanageable if it is not already managed by vCenter, or if the connection to vCenter is lost. To prevent this, the users in the "DCUI.Access" list will be assigned Admin roles.
While the host is in lockdown mode, some operations will fail with SecurityError. This ensures that the conditions for lockdown mode cannot be changed. For example it is allowed to change the access mode only for users in the exceptions list.
When the host is in lockdown mode, changing the running state of service DCUI through HostServiceSystem will also fail with SecurityError accompanied with an appropriate localizeable message.
Required privileges: Host.Config.Settings
The unique identifier for the managed object to which the method attaches; the serialized managed object reference for a request has the form moType/moId
, in this case HostAccessManager/{moId}
.
The vSphere release schema. The current specification covers vSphere 8.0.3.0 APIs.
{
"mode": "string"
}
Defines the possible states of lockdown mode.
Possible values:
lockdownDisabled
: Indicates that lockdown mode is disabled.lockdownNormal
: Indicates that lockdown mode is enabled with service DCUI (Direct Console User Interface) running.lockdownStrict
: Indicates that lockdown mode is enabled with service DCUI stopped.If the host is in "strict" lockdown mode then no one will be able to exit lockdown mode through DCUI in emergency situations, i.e. when the connection to vCenter server is permanently lost.
No Content
AuthMinimumAdminPermission: if the user invoking the operation is not in the exceptions list - see QueryLockdownExceptions.
NoPermission: if the current session does not have enough permissions to perform the operation.
{
"_typeName": "string",
"faultCause": "MethodFault Object",
"faultMessage": [
{
"_typeName": "string",
"key": "string",
"arg": [
{
"_typeName": "string",
"key": "string",
"value": {
"_typeName": "string"
}
}
],
"message": "string"
}
]
}