Vcenter Authorization Permissions APIs

The Vcenter Authorization Permissions resource provides operations to create, update, delete and retrieve authorization permissions in the vCenter Server.

The authorization permissions are the actual access-control rules. There are currently two kinds of permissions - global and inventory permissions. But in the future we could support more.

An inventory permission is defined on an resource which is part of vCenter's inventory and specifies the user or group to which the rule applies. The role specifies the privileges to apply, and the propagate flag specifies whether or not the rule applies to the sub-resources of the inventory.

A resource may have multiple permissions, but can have only one permission per user or group. If, when logging in, a user has both a user permission and a group permission (as a group member) for the same resource, then the user-specific permission takes precedent. If there is no user-specific permission, but two or more group permissions are present, and the user is a member of the groups, then the privileges are the union of the specified roles.

There global permissions are assigned without specifying a resource. These permissions, if set as propagated, could propagated down to all resources, including inventory.

This resource was added in vSphere API 9.0.0.0.