VMware Cloud Community
nblr06
Enthusiast
Enthusiast
‎04-20-2023 10:55 PM
Jump to solution

read-only permission cannot browse any object

I'm trying to configure an user account + default "read-only" permission in standalone ESXi version 7.0.3 hosts for operations.

The user account can be created with no problems, however, when applying the ESXi default permission "read-only" to this account, the screen showed only "system" is checked while other items are greyed out.(see figure below)

nblr06_0-1682055977012.png

After login to ESXi host using this read-only account, the webpage showed nothing to browse at all.(see figure below)

nblr06_1-1682056177280.png

My demand is to let an user account to read/browse all the objects/items in ESXi host but it seemed that something went wrong that prevented this from working normally?

is it possible that there's unknown bug to the permission? or maybe i missed some key configurations?

 

0 Kudos
1 Solution

Accepted Solutions
lamw
Community Manager
Community Manager
‎04-21-2023 07:25 AM
Jump to solution

ESXi Embedded Host Client UI assumes that users are typically logging in with full admin privileges. I've seen this personally where sub-set of the privileges were missing and the views can't be displayed properly. If you know the exact URL, then you can reach the pages with RO as an example. If you have vCenter Server, that would be ideal place to setup RO account and does properly render all pages.

 

View solution in original post

0 Kudos
4 Replies
lamw
Community Manager
Community Manager
‎04-21-2023 07:25 AM
Jump to solution

ESXi Embedded Host Client UI assumes that users are typically logging in with full admin privileges. I've seen this personally where sub-set of the privileges were missing and the views can't be displayed properly. If you know the exact URL, then you can reach the pages with RO as an example. If you have vCenter Server, that would be ideal place to setup RO account and does properly render all pages.

 

0 Kudos
Kinnison
Commander
Commander
‎04-21-2023 10:30 AM
Jump to solution

Comment removed...

nblr06
Enthusiast
Enthusiast
‎04-23-2023 08:02 AM
Jump to solution

Hi William, it's my pleasure to recieve your answer! Thx!

To be precise, I'm using the "read-only" account for a third-party software to connect to ESXi host (via API to access ESXi) and the software have problem reading objects from the target ESXi therefore I was thinking about whether this situation is related to some kind of bugs.

I guess the RO account from vCenter that you mentioned is the "@vsphere.local" local account, right? I'll try that.

BTW, my stadalone ESXi doesn't have FQDN, only hostname. Is there any differences between the URL of RO and others?? just don't get it. I never notice any abnormalities in the URL...

0 Kudos
lamw
Community Manager
Community Manager
‎04-23-2023 08:19 AM
Jump to solution

My comment about the UI was purely that, the API works 100% as expected, which assumes you've associated the RO account at the right level of the ESXi host.

Take a look at https://williamlam.com/2023/01/applying-additional-security-hardening-enhancements-in-esxi-8-0.html and specifically the following code snippet:

$authManager = Get-View $global:DefaultVIServer.ExtensionData.Content.AuthorizationManager
$rootFolderMoRef = (Get-Folder -Type Datacenter -Name root).ExtensionData.MoRef

# Give new local account administrative privileges
$newAdminAuthSpec = New-Object VMware.Vim.Permission
$newAdminAuthSpec.RoleId = -1 # Administrator
$newAdminAuthSpec.Propagate = $true
$newAdminAuthSpec.Principal = $newUserName
$authManager.SetEntityPermissions($rootFolderMoRef,@($newAdminAuthSpec))

# Remove administrative privileges from root user
$newRootAuthSpec = New-Object VMware.Vim.Permission
$newRootAuthSpec.RoleId = -5 # NoAccess
$newRootAuthSpec.Propagate = $true
$newRootAuthSpec.Principal = "root"
$authManager.SetEntityPermissions($rootFolderMoRef,@($newRootAuthSpec))

Note the $rootFolderMoRef variable which specifies the root of the ESXi Datacenter reference object and we're also propagating the role down. Make sure when you assign the role, you have something simliar or the RO will only apply at whatever level you've specified. 

If you're using vCenter, @vsphere.local is just the local SSO Domain. Most organizations will have Active Directory which they can centrally manage credentials including expiring/changing passwords. If you have that, then you'll want to setup service account for the 3rd party software, this way you can track all usage. If you do not then you can certainly leverage the local SSO Domain and just create a new account for the 3rd party like thirdparty@vsphere.local and then assign RO at the appropriate inventory level.

I suspect you probably don't have the role assigned at the right level and hence you're seeing some strangeness, which would be expected if you're trying to access things further down inventory. 

Not sure what you mean by FQDN or hostname ... by definition hostname = FQDN but I believe this comes from Windows world where hostname = short FQDN and not the full FQDN 🙂

0 Kudos