Use this procedure to manage role, user account, and active directory permission profiles that are grouped as part of the security host profile.

You can configure the host profile options, part of the security profile.

Prerequisites

Make sure that you have the SecurityConfigProfile plugin available to validate the role, user account, and active directory permission profiles as there are dependencies between them.

Procedure

  1. In the vSphere Client, select Menu > Policies and Profiles.
  2. Unfold the Security and Services > Security Settings profile category and open the Security folder.
    You are present with the following profiles:
    Role

    This profile allows you to view default roles and add custom roles within the ESXi system.

    User Configuration

    This profile allows you to create and manage user accounts.

    Here are some of the operations that you can perform for user accounts:

    • Create a user account.
    • Configure the password for a user account.
    • Configure the password for the root user.
    • Configure the role for any user that is not the default one.
    • Assign a default or custom role (configure permissions) for a local account.
    • Configure the SSH key for any user.
    Active Directory Permission

    This profile allows you to manage permissions for active directory users or groups. For example, you can create permissions that associate an active directory user or a group with a role.

    When an ESXi host joins the active directory domain, an Admin permission is created for the DOMAIN group ESX Admins. Also, when an active directory user or group is given some permissions on the ESXi host, a corresponding permission is created on that host. The Active Directory Permission profile captures that permission.

    Lockdown Mode

    This profile allows you to increase the security of your ESXi hosts by restricting user permissions and privileges.

    You can configure the following lockdown mode settings:
    • Normal lockdown mode: An ESXi host can be accessed from a local console and vCenter Server. DCUI service is not stopped.
    • Strict lockdown mode: An ESXi host can be only accessed from vCenter Server. DCUI service is stopped.
    • Exception users: The users that still have their permissions regardless of the lockdown mode state.

    For more information on the security profile, see the vSphere Security documentation.