Navigating the inventory requires a user account that can connect to the server and obtain a valid session. The user identity associated with the session is called a principal. When a client application attempts to access an object in the inventory, the server checks the permission object or objects and compares the permissions with the principal’s privileges.
For example, creating a virtual machine requires that the principal associated with the session have the following privileges:
- The VirtualMachine.Inventory.Create privilege on the folder in which to create the virtual machine.
- The Resource.AssignVMToPool privilege on the resource pool from which the virtual machine obtains its allocation of CPU and memory resources.
Reading the perfCounter property of the PerformanceManager managed object requires the System.View privilege on the root folder.
Important: Some privileges are specific to objects on vCenter Server or specific to ESXi. For example, the
Alarm.Create privilege associated with
AlarmManager is available only through vCenter Server systems.
See Authentication and Authorization for more information on authentication, authorization, roles, and user identity.