Host Access Manager Change Lockdown Mode
Changes the lockdown state of the ESXi host.
This operation will do nothing if the host is already in the desired lockdown state.
When the host is in lockdown mode it can be managed only through vCenter and through DCUI (Direct Console User Interface) if the DCUI service is running. This is achieved by removing all permissions on the host, except those of the exception users defined with UpdateLockdownExceptions.
In addition, the permissions for users 'dcui' and 'vpxuser' are always preserved.
When lockdown mode is disabled, the system will try to restore all permissions that have been removed when lockdown mode was enabled. It is possible that not all permissions may be restored and this is not an error, e.g. if in the meantime some user or managed object was deleted.
It may be possible that after exiting lockdown mode the only permissions on the host will be those of users 'dcui' and 'vpxuser'. This will render the host unmanageable if it is not already managed by vCenter, or if the connection to vCenter is lost. To prevent this, the users in the "DCUI.Access" list will be assigned Admin roles.
While the host is in lockdown mode, some operations will fail with SecurityError. This ensures that the conditions for lockdown mode cannot be changed. For example it is allowed to change the access mode only for users in the exceptions list.
When the host is in lockdown mode, changing the running state of service DCUI through HostServiceSystem will also fail with SecurityError accompanied with an appropriate localizeable message.
Required privileges: Host.Config.Settings
The unique identifier for the managed object to which the method attaches; the serialized managed object reference for a request has the form moType/moId
, in this case HostAccessManager/{moId}
.
The vSphere release schema. The current specification covers vSphere 9.0.0.0 APIs.
"ChangeLockdownModeRequestType Object"
The new desired lockdown mode.
If this is the same as the current lockdown mode state, the operation will silently succeed and nothing will be changed.
If this is lockdownDisabled then lockdown mode will be disabled and the system will start service DCUI if it is not running.
If this is lockdownNormal then lockdown mode will be enabled and the system will start service DCUI if it is not running.
If this is lockdownStrict then lockdown mode will be enabled and the system will stop service DCUI if it is running.
No Content
AuthMinimumAdminPermission: if the user invoking the operation is not in the exceptions list - see QueryLockdownExceptions.
NoPermission: if the current session does not have enough permissions to perform the operation.
"AuthMinimumAdminPermission Object"
curl -X POST -H 'Authorization: <value>' -H 'Content-Type: application/json' -d '[{}]' https://{api_host}/sdk/vim25/{release}/HostAccessManager/{moId}/ChangeLockdownMode