WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Monitoring vSphere account password & permission changes 

Monitoring vSphere account password & permission changes 

11.01.2021 by William Lam // Leave a Comment

If it is not clear by now, I REALLY love the power of vSphere Events and all the use cases it can enable, especially when used with our VMware Event Broker Appliance (VEBA) solution to enable easy Event-Driven Automation.

Over the past month or so, I have noticed a series of questions from our field and customers across a number of topics pertaining to vSphere accounts including vSphere Single Sign-On (SSO) users. My response to each of these questions all point back to a leveraging specific vSphere Events and I thought I share some of use cases in which vSphere Events can help

  • When was the last time a vSphere SSO user (e.g. *protected email*) password was changed?
  • How much time left (expiry) before the vSphere SSO user password must be changed?
  • Audit of all password changes for an vSphere SSO user (e.g. *protected email*)?
  • Who recently updated the password for a vSphere SSO user (e.g. *protected email*)?
  • When was the last time a vSphere SSO user (e.g. *protected email*) password was reseted?
  • Who recently added new permission to a vSphere user?
  • Who recently removed a permission from a vSphere user?
  • Who recently updated vSphere Role with additional permissions?
  • Who recently updated vSphere Role and removed permissions?

These are just some of the examples that I have come across that can be answered when looking at vSphere Events such as: com.vmware.sso.PrincipalManagement, PermissionAddedEvent, PermissionRemovedEvent, PermissionUpdatedEvent, com.vmware.cis.CreateGlobalPermission and com.vmware.cis.RemoveGlobalPermission. As of vSphere 7.0 Update 3, there are over 1,900+ Events, which you can view here.

Once you have identified a particular vSphere Event, you may be interested in what it contains and for VEBA users, you can leverage the vSphere Event Viewer, which is built right into the VEBA Appliance which uses project called Sockeye. Below is an example of com.vmware.sso.PrincipalManagement event and we can see a number of interesting pieces of information such as the username that performed the password change for the given vSphere SSO user, which is *protected email* along with the date and time.

Using VEBA, not only can you easily consume these vSphere Events, but you can now do more interesting things like sending these audit entries to your security and compliance team, maybe send notification to a shared Slack/Microsoft Teams channels, etc. The use cases are truly endless and you can take advantage of many of the example functions that we have built. If you wish to learn more, check out our VMworld 2021 session VEBA Revolutions - Unleashing the Power of Event-Driven Automation #CODE2773.

Lastly, here are a few of the example payloads for some of the vSphere Events mentioned above.

Password reset and/or change for vSphere SSO User

{
  "Key": 9376716,
  "ChainId": 9376716,
  "CreatedTime": "2021-10-14T14:53:48.854999Z",
  "UserName": "*protected email*",
  "Datacenter": null,
  "ComputeResource": null,
  "Host": null,
  "Vm": null,
  "Ds": null,
  "Net": null,
  "Dvs": null,
  "FullFormattedMessage": "Principal Management event by *protected email* at 10/14/2021 14:52:32 GMT : Resetting local person user 'veba-ui' password",
  "ChangeTag": "",
  "EventTypeId": "com.vmware.sso.PrincipalManagement",
  "Severity": "info",
  "Message": "",
  "Arguments": [
    {
      "Key": "userName",
      "Value": "*protected email*"
    },
    {
      "Key": "description",
      "Value": "Resetting local person user 'veba-ui' password"
    },
    {
      "Key": "userIp",
      "Value": ""
    },
    {
      "Key": "timestamp",
      "Value": "10/14/2021 14:52:32 GMT"
    },
    {
      "Key": "_sourcehost_",
      "Value": "vcsa.primp-industries.local"
    }
  ],
  "ObjectId": "",
  "ObjectType": "",
  "ObjectName": "",
  "Fault": null
}

Adding a vSphere Permission

{
    "Key": 9380117,
    "ChainId": 9380117,
    "CreatedTime": "2021-10-16T14:42:58.142Z",
    "UserName": "VSPHERE.LOCAL\\Administrator",
    "Datacenter": null,
    "ComputeResource": null,
    "Host": null,
    "Vm": null,
    "Ds": null,
    "Net": null,
    "Dvs": null,
    "FullFormattedMessage": "Permission created for VSPHERE.LOCAL\\readonly-svc on Datacenters, role is Administrator, propagation is Enabled",
    "ChangeTag": "",
    "Entity": {
      "Name": "Datacenters",
      "Entity": {
        "Type": "Folder",
        "Value": "group-d1"
      }
    },
    "Principal": "VSPHERE.LOCAL\\readonly-svc",
    "Group": false,
    "Role": {
      "RoleId": -1,
      "Name": "Administrator"
    },
    "Propagate": true
  }


Removing a vSphere Permission

{
  "Key": 9380134,
  "ChainId": 9380134,
  "CreatedTime": "2021-10-16T14:44:41.637Z",
  "UserName": "VSPHERE.LOCAL\\Administrator",
  "Datacenter": null,
  "ComputeResource": null,
  "Host": null,
  "Vm": null,
  "Ds": null,
  "Net": null,
  "Dvs": null,
  "FullFormattedMessage": "Permission rule removed for VSPHERE.LOCAL\\readonly-svc on Datacenters",
  "ChangeTag": "",
  "Entity": {
    "Name": "Datacenters",
    "Entity": {
      "Type": "Folder",
      "Value": "group-d1"
    }
  },
  "Principal": "VSPHERE.LOCAL\\readonly-svc",
  "Group": false
}

More from my site

  • Quick Tip - Listing vSphere Global Permissions using PowerShell
  • Quick Tip - Audit vCenter Server Role & Permission Usage
  • Recovering ESXi 7.x & 8.x host after forgetting or losing root password
  • VMware Event Broker Appliance (VEBA) v0.8.0
  • Exploring the new vSphere Privilege Recorder in vSphere 8.0 Update 1

Categories // Automation, vSphere Tags // global permission, password, permission, VMware Event Broker Appliance

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...