Host Access Manager Change Lockdown Mode

Host Access Manager Change Lockdown Mode

Changes the lockdown state of the ESXi host.

This operation will do nothing if the host is already in the desired lockdown state.

When the host is in lockdown mode it can be managed only through vCenter and through DCUI (Direct Console User Interface) if the DCUI service is running. This is achieved by removing all permissions on the host, except those of the exception users defined with UpdateLockdownExceptions.

In addition, the permissions for users 'dcui' and 'vpxuser' are always preserved.

When lockdown mode is disabled, the system will try to restore all permissions that have been removed when lockdown mode was enabled. It is possible that not all permissions may be restored and this is not an error, e.g. if in the meantime some user or managed object was deleted.

It may be possible that after exiting lockdown mode the only permissions on the host will be those of users 'dcui' and 'vpxuser'. This will render the host unmanageable if it is not already managed by vCenter, or if the connection to vCenter is lost. To prevent this, the users in the "DCUI.Access" list will be assigned Admin roles.

While the host is in lockdown mode, some operations will fail with SecurityError. This ensures that the conditions for lockdown mode cannot be changed. For example it is allowed to change the access mode only for users in the exceptions list.

When the host is in lockdown mode, changing the running state of service DCUI through HostServiceSystem will also fail with SecurityError accompanied with an appropriate localizeable message.

Required privileges: Host.Config.Settings

Request
URI
POST
https://{api_host}/sdk/vim25/{release}/HostAccessManager/{moId}/ChangeLockdownMode
COPY
Path Parameters
string
moId
Required

The unique identifier for the managed object to which the method attaches; the serialized managed object reference for a request has the form moType/moId, in this case HostAccessManager/{moId}.

string
release
Required

The vSphere release schema. The current specification covers vSphere 9.0.0.0 APIs.


Request Body
ChangeLockdownModeRequestType of type(s) application/json
Required
"ChangeLockdownModeRequestType Object"
mode
Required

The new desired lockdown mode.

If this is the same as the current lockdown mode state, the operation will silently succeed and nothing will be changed.

If this is lockdownDisabled then lockdown mode will be disabled and the system will start service DCUI if it is not running.

If this is lockdownNormal then lockdown mode will be enabled and the system will start service DCUI if it is not running.

If this is lockdownStrict then lockdown mode will be enabled and the system will stop service DCUI if it is running.

Authentication
This operation uses the following authentication methods.
Responses
204

No Content

Operation doesn't return any data structure

500

AuthMinimumAdminPermission: if the user invoking the operation is not in the exceptions list - see QueryLockdownExceptions.

NoPermission: if the current session does not have enough permissions to perform the operation.

Returns AuthMinimumAdminPermission of type(s) application/json
"AuthMinimumAdminPermission Object"

Code Samples
COPY
                    curl -X POST -H 'Authorization: <value>' -H 'Content-Type: application/json' -d '[{}]' https://{api_host}/sdk/vim25/{release}/HostAccessManager/{moId}/ChangeLockdownMode