The SessionManager managed object controls user access to the server. SessionManager includes methods for logging in to the server, obtaining a session, and logging out. The SessionManager defines the lifetime and visibility of many objects. Session-specific objects are not visible outside the session in which they are created.
Upon successful authentication of a user account, SessionManager returns a UserSession data object to the client application. The session is associated with that user account for the duration of the session. The client application can save the session locally, to a secure file, and reuse the session later to reconnect to the server. You can also configure an ESXi or vCenter Server system to support local sessions, which enable users with credentials on the host to log in based on those privileges.
The SessionManager provides these capabilities:
- Log in and log out. Basic operations to log in to ESXi or vCenter Server system, obtain a session, and log out. When a session terminates, all session-specific objects are destroyed.
- Impersonation. One user session adopts the authorization level of another user session. Impersonation is common in Web based scenarios in which a middle-tier application functions as a central account that interacts with other back-end servers or processes. Windows services impersonate a client when accessing resources on behalf of the client. SesssionManager supports impersonation through its ImpersonateUser method.
- Delegation. A client application that is running on behalf of a local user can call the SessionManager.AcquireLocalTicket method to obtain a one-time user name and password for logging in. Delegation is useful for host-based utilities that run in the local console.
If the user account associated with the session does not have the permissions required to perform an action, the AuthorizationManager returns a NoPermission fault to the client application.