2

I am using vim25 library to established connection with vCenter and I am able to login with following code,

vimport.login(serviceContent.getSessionManager(), username, password, null);

Now, I want to check whether this user has admin privileges or not, How can we achieve in Java with the help of vSphere client SDK?

Mayur Bhokase
  • 377
  • 4
  • 19
  • 1
    Can you elaborate your use case? The question "does a user have admin privileges" is not well-defined. In vSphere, a `role` (e.g. admin) is a collection of `privilege`s (e.g. add host, remove VM, etc.). A `permission` is, loosely speaking, an assignment of a `role` for a particular entity to a given user. An example would be that user `Mayur` is an `admin` for a particular VM folder. So you can check whether a user has the admin role for a particular object, or you can check whether a user has specific privileges for a given object (which they can have even if they're not admin). – YSK May 30 '17 at 07:02
  • See also the [VMware documentation for the AuthorizationManager](https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssdk.apiref.doc/vim.AuthorizationManager.html). – YSK May 30 '17 at 07:02
  • Many thanks YSK, I am newer to using vsphere client sdk hence I was searching a sample example for reference. But your information is very helpful for me. I will try it. Thank you once again. – Mayur Bhokase May 30 '17 at 07:12

2 Answers2

0

vSphere Client SDK is used to build UI plugins so I assume you want to filter out a plugin extension based on the user privilege. This is done via the <privilege> metadata tag used on the extension definition in the plugin.xml manifest.

SDK documentation with explanation and example: Filtering Extensions, "Filtering Based on User Privilege Level" section.

Vladimir Velikov
  • 1
  • 3
0

There are two aspects to the vSphere permission model:

  • vCenter privileges, which are combined into roles which are then assigned to users or groups as permissions on particular pieces of the vCenter inventory. Normally each vCenter operation is validate against the actual permissions for the operation that the user has on an object. So what you want in principle is to check whether has a specific permission instead of whether he's an administrator. The second is more of a secondary concept coming from the built-in Administrator role that has full set of privileges, but which may not be granted at all to the user on certain parts of the inventory. What I'd suggest is to figure out what is the actual permission you care about and what parts of the inventory you need to check. There are certain APIs (the ones on global singleton Managed Objects such as TaskManager) that simply check what is granted at the rootFolder level.

  • SSO Groups - some of the services check whether the SSO token contains claims about specific group membership. This is usually done by services related to authentication that cannot piggy-back on vCenter permissions. Given your example I assume you're not getting an SSO token and don't care about this model.

tony.ganchev
  • 596
  • 4
  • 14