Performing Privilege Checks
Operations
Privilege checks recorder is a feature which allows you to monitor and subsequently
query the privileges that were checked. You can use the recordings to create scripts that
automatically create roles with minimum required privileges to run specific workflows of
operations.
Currently, it is very hard to find out the minimal set of privileges that are required to
run a specific workflow of operations. The
PrivilegeChecks
service
provides operations
for retrieving a list of the latest
privilege checks along with the corresponding sessions, users, managed objects, and
operation IDs (opIDs
).The following table lists the available
privilege checks operations.
Operation | Description |
|---|---|
List privilege checks | Returns a list of privilege checks that match criteria which you
specified. |
Get latest privilege check | Returns a marker to the last recorded privilege check. This allows
retrieving all privilege checks up to or after a specified moment in
time. |
When you
retrieve a list of privilege checks, the results are returned in pages due to the
possibly large number of privilege checks that can be returned. You can control the page
size either by using the
AuthorizationPrivilegeChecksIterationSpec
data structure, or with the config.vpxd.privCheck.pageSize
advanced
setting.Filtering Privilege
Checks
When you retrieve lists of privilege
checks, you can refine your search by using the
AuthorizationPrivilegeChecksFilterSpec
data structure
. The following table lists the
available filtering options.Filtering Option | Description |
|---|---|
Objects
| IDs of the managed objects on which the privilege check was performed.
If unset , all objects
match. |
OpIDs
| OpIDs of the requests for which the check was
performed. If unset , all
opIDs match. |
Principals
| Principals for which the privilege check was performed. The unset PrivilegeChecks.Principal value matches
privilege checks for anonymous sessions. If unset , all principals
match. |
Privileges
| Privileges that were checked. If unset , all
privileges match. |
Sessions
| Sessions for which the check
was performed. If unset , all sessions
match. |
Using Advanced Settings
You can configure advanced settings by
using the
vSphere Client
. Some of
the advanced settings are not available in the API, but are required for the
privilege checks recorder to function properly. For information about configuring
advanced settings, see vCenter
Server Configuration
.Advanced Setting Name | Description |
|---|---|
config.vpxd.privCheck.pageSize
| Specifies the default page size for privilege checks lists. |
config.vpxd.privCheck.bufferSize
| Specifies the count of privileges to be kept in memory. The default
value is 0. If you do not change the default value, the privilege checks
recorder does not record any data. |
config.vpxd.privCheck.cleanupInterval
| Specifies the interval on which privilege checks for unused sessions
are cleaned up. The default value is 30 minutes. |