Privilege checks recorder is a feature which allows you to monitor and subsequently query the privileges that were checked. You can use the recordings to create scripts that automatically create roles with minimum required privileges to run specific workflows of operations.
Currently, it is very hard to find out the minimal set of privileges that are required to run a specific workflow of operations. The PrivilegeChecks service provides operations for retrieving a list of the latest privilege checks along with the corresponding sessions, users, managed objects, and operation IDs (opIDs).
The following table lists the available privilege checks operations.
Operation | Description |
---|---|
List privilege checks | Returns a list of privilege checks that match criteria which you specified. |
Get latest privilege check | Returns a marker to the last recorded privilege check. This allows retrieving all privilege checks up to or after a specified moment in time. |
When you retrieve a list of privilege checks, the results are returned in pages due to the possibly large number of privilege checks that can be returned. You can control the page size either by using the AuthorizationPrivilegeChecksIterationSpec data structure, or with the config.vpxd.privCheck.pageSize
advanced setting.
Filtering Privilege Checks
When you retrieve lists of privilege checks, you can refine your search by using the AuthorizationPrivilegeChecksFilterSpec data structure. The following table lists the available filtering options.
Filtering Option | Description |
---|---|
Objects | IDs of the managed objects on which the privilege check was performed. If unset, all objects match. |
OpIDs | OpIDs of the requests for which the check was performed. If unset, all opIDs match. |
Principals | Principals for which the privilege check was performed. The unset PrivilegeChecks.Principal value matches privilege checks for anonymous sessions. If unset, all principals match. |
Privileges | Privileges that were checked. If unset, all privileges match. |
Sessions | Sessions for which the check was performed. If unset, all sessions match. |
Using Advanced Settings
You can configure advanced settings by using the vSphere Client. Some of the advanced settings are not available in the API, but are required for the privilege checks recorder to function properly. For information about configuring advanced settings, see vCenter Server Configuration.
Advanced Setting Name | Description |
---|---|
config.vpxd.privCheck.pageSize |
Specifies the default page size for privilege checks lists. |
config.vpxd.privCheck.bufferSize |
Specifies the count of privileges to be kept in memory. The default value is 0. If you do not change the default value, the privilege checks recorder does not record any data. |
config.vpxd.privCheck.cleanupInterval |
Specifies the interval on which privilege checks for unused sessions are cleaned up. The default value is 30 minutes. |