VMware vSphere includes the following interfaces for authenticating users and protecting virtual infrastructure components from unauthorized access:
- HostLocalAccountManager is used to create and manage user accounts on ESXi systems. Authenticated users can view objects or invoke operations on the server depending on the permissions associated with their account. See Managing ESXi Users with HostLocalAccountManager.
- AuthorizationManager protects vSphere components from unauthorized access. Access to components is role-based: Users are assigned roles that encompass the privileges needed to view and perform operations on vSphere objects. AuthorizationManager has operations for creating new roles, modifying roles, setting permissions on entities, and handling the relationship between managed objects and permissions.
- UserDirectory provides a look-up mechanism that returns user-account information to AuthorizationManager or to another requestor, such as a client application. See Obtaining User and Group Information from UserDirectory.
- SessionManager provides an interface to the authentication infrastructure on the target server system (see Authenticating Users Through SessionManager).
- For vCenter Server systems, SessionManager supports single sign-on based on SSO tokens obtained from a VMware SSO Server. See Establishing a Single Sign-On Session with a vCenter Server.
- For ESXi systems, SessionManager supports authenticating user accounts as defined on the host system, such as accounts created using vSphere Client or accounts created programmatically through the HostLocalAccountManager API.
- Even if a user is authorized to perform operations on a vSphere object, the operation fails if the licenses for the host or the feature have not been assigned. You use LicenseManager and LicenseAssignmentManager to manage the licenses. See Managing Licenses with LicenseManager.