In vSphere, privileges are fine-grained access controls that can be grouped into roles and map them to users or groups. Privilege recorder helps you identify the minimum set of privileges required to run a vCenter Server workflow.
To run a specific set of operations, it is very difficult to determine the minimal set of privileges that are required by the user. The privileges do not have one-one mapping with the specific workflow which usually consists of multiple calls to different APIs operating on the respective object. As a result, the user either has more access or too little access to the environment. With the aim to keep the environment secure, the privilege recorder feature helps you identify the minimum set of privileges required to run a vCenter Server workflow. It allows you to monitor and query the privileges that were checked while performing an operation. Privilege recorder is implemented using a REST API.
Note: This feature is available as an API, and it supports only workflows run by a script. There is no UI support for Privilege Recorder.
Querying the ListAPI allows you to retrieve lists of privilege checks along with the corresponding sessions, users, managed objects, and operation IDs (opIDs). You can use the appropriate filters to obtain privileges for a particular workflow.
For example, assume that user A needs to create a VM. Creating a VM requires a certain set of privileges. User A must request for privileges from the system administrator. The system administrator can enable the privilege recorder and execute the create VM operation. While the privilege check is performed, the data for the privileges that were checked during the Create VM operation is stored. The data contains PrivilegeID, sessionID, OpID, and so on. In this example, this system admin will use the filters to get privileges for the create VM workflow. The system administrator can now create a role with minimum required privileges and assign it to the user.
