VCF 9.1 API Access (5): Access Control

On By David ZhangIn Cloud Foundation

In VCF 9.1, access control for API-driven automation is managed through VCF Custom Roles and Role Assignments linked to API tokens. This post details how these mechanisms govern programmatic authentication and authorization.

1. API Token Permission Inheritance

API token access is governed directly by its associated security principal. This principal is an SSO user when the token is generated by a human, or an API client when the token is created under that API client. Regardless of the principal type, the resulting API token’s permissions are strictly restricted by a foundational inheritance rule:

Inheritance Rule: API token permissions are inherited exclusively from the access levels assigned to the associated principal (SSO user or API Client) at the VCF level.

  • No Direct Component Inheritance: Programmatic tokens do not inherit permissions configured directly at individual component layers, such as local permissions set on a specific vCenter.
  • Example: If an SSO user is assigned the VCF Viewer role at the fleet level, but holds a vCenter Administrator role directly on a local vSphere instance, any API token generated by that user will only carry VCF Viewer permissions.

2. Defining Permissions with VCF Custom Roles

VCF Custom Roles allow administrators to group specific permissions at the fleet scope. When configuring these roles, you can combine both custom and built-in roles across different VCF components:

  • Custom Roles: You can use custom roles from vCenter, VCF Automation, and VCF Operations as component roles.
  • Built-in Roles: You can use built-in roles from vCenter, VCF Automation, VCF Operations, NSX, and HCX as component roles.

A single VCF custom role can contain one component role or multiple component roles. While you can aggregate several permissions, a custom role can also be built around a single target function. For example, you can create a custom role called vcf-ops-fleet-admin in VCF Operations. You can then create a VCF fleet-level role called vcf-fleet-admin using this component role. This enables any API token assigned to that fleet-level role to execute fleet management operations.

What’s Next?

In our next post, we will walk through an example showing exactly what permission is required for this custom vcf-fleet-admin role within VCF Operations. Stay tuned to see how to translate these design concepts into active policy.

Leave a comment