Objects for
Authentication and Authorization Management
VMware vSphere includes the following
interfaces for authenticating users and protecting virtual infrastructure
components from unauthorized access:
- HostLocalAccountManageris used to create and manage user accounts on ESXi systems. Authenticated users can view objects or invoke operations on the server depending on the permissions associated with their account. See Managing ESXi Users with HostLocalAccountManager.
- AuthorizationManagerprotects vSphere components from unauthorized access. Access to components is role-based: Users are assigned roles that encompass the privileges needed to view and perform operations on vSphere objects.AuthorizationManagerhas operations for creating new roles, modifying roles, setting permissions on entities, and handling the relationship between managed objects and permissions.
- UserDirectoryprovides a look-up mechanism that returns user-account information toAuthorizationManageror to another requestor, such as a client application. See Obtaining User and Group Information from UserDirectory.
- SessionManagerprovides an interface to the authentication infrastructure on the target server system (see Authenticating Users Through SessionManager).
- For vCenter Server systems,SessionManagersupports single sign-on based on SSO tokens obtained from a VMware SSO Server. See Establishing a Single Sign-On Session with a vCenter Server.
- For ESXi systems,SessionManagersupports authenticating user accounts as defined on the host system, such as accounts created using vSphere Client or accounts created programmatically through theHostLocalAccountManagerAPI.
- Even if a user is authorized to perform operations on a vSphere object, the operation fails if the licenses for the host or the feature have not been assigned. You useLicenseManagerandLicenseAssignmentManagerto manage the licenses. See Managing Licenses with LicenseManager.