Performing Privilege Checks Operations

Privilege checks recorder is a feature which allows you to monitor and subsequently query the privileges that were checked. You can use the recordings to create scripts that automatically create roles with minimum required privileges to run specific workflows of operations.
Currently, it is very hard to find out the minimal set of privileges that are required to run a specific workflow of operations. The
PrivilegeChecks
service
provides
operations
for retrieving a list of the latest privilege checks along with the corresponding sessions, users, managed objects, and operation IDs (
opIDs
).
The following table lists the available privilege checks operations.
Operation
Description
List privilege checks
Returns a list of privilege checks that match criteria which you specified.
Get latest privilege check
Returns a marker to the last recorded privilege check. This allows retrieving all privilege checks up to or after a specified moment in time.
When you retrieve a list of privilege checks, the results are returned in pages due to the possibly large number of privilege checks that can be returned. You can control the page size either by using the
AuthorizationPrivilegeChecksIterationSpec
data structure, or with the
config.vpxd.privCheck.pageSize
advanced setting.

Filtering Privilege Checks

When you retrieve lists of privilege checks, you can refine your search by using the
AuthorizationPrivilegeChecksFilterSpec
data structure
. The following table lists the available filtering options.
Filtering Option
Description
Objects
IDs of the managed objects on which the privilege check was performed. If
unset
, all objects match.
OpIDs
OpIDs
of the requests for which the check was performed. If
unset
, all
opIDs
match.
Principals
Principals for which the privilege check was performed. The
unset
PrivilegeChecks.Principal
value matches privilege checks for anonymous sessions. If
unset
, all principals match.
Privileges
Privileges that were checked. If
unset
, all privileges match.
Sessions
Sessions for which the check was performed. If
unset
, all sessions match.

Using Advanced Settings

You can configure advanced settings by using the
vSphere Client
. Some of the advanced settings are not available in the API, but are required for the privilege checks recorder to function properly. For information about configuring advanced settings, see
vCenter Server Configuration
.
Advanced Setting Name
Description
config.vpxd.privCheck.pageSize
Specifies the default page size for privilege checks lists.
config.vpxd.privCheck.bufferSize
Specifies the count of privileges to be kept in memory. The default value is 0. If you do not change the default value, the privilege checks recorder does not record any data.
config.vpxd.privCheck.cleanupInterval
Specifies the interval on which privilege checks for unused sessions are cleaned up. The default value is 30 minutes.