Objects for Authentication and Authorization Management

VMware vSphere includes the following interfaces for authenticating users and protecting virtual infrastructure components from unauthorized access:
  • HostLocalAccountManager
    is used to create and manage user accounts on ESXi systems. Authenticated users can view objects or invoke operations on the server depending on the permissions associated with their account. See Managing ESXi Users with HostLocalAccountManager.
  • AuthorizationManager
    protects vSphere components from unauthorized access. Access to components is role-based: Users are assigned roles that encompass the privileges needed to view and perform operations on vSphere objects.
    AuthorizationManager
    has operations for creating new roles, modifying roles, setting permissions on entities, and handling the relationship between managed objects and permissions.
  • UserDirectory
    provides a look-up mechanism that returns user-account information to
    AuthorizationManager
    or to another requestor, such as a client application. See Obtaining User and Group Information from UserDirectory.
  • SessionManager
    provides an interface to the authentication infrastructure on the target server system (see Authenticating Users Through SessionManager).
    • For vCenter Server systems,
      SessionManager
      supports single sign-on based on SSO tokens obtained from a VMware SSO Server. See Establishing a Single Sign-On Session with a vCenter Server.
    • For ESXi systems,
      SessionManager
      supports authenticating user accounts as defined on the host system, such as accounts created using vSphere Client or accounts created programmatically through the
      HostLocalAccountManager
      API.
  • Even if a user is authorized to perform operations on a vSphere object, the operation fails if the licenses for the host or the feature have not been assigned. You use
    LicenseManager
    and
    LicenseAssignmentManager
    to manage the licenses. See Managing Licenses with LicenseManager.