WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Automation / Monitoring vSphere account password & permission changes 

Monitoring vSphere account password & permission changes 

11.01.2021 by William Lam // Leave a Comment

If it is not clear by now, I REALLY love the power of vSphere Events and all the use cases it can enable, especially when used with our VMware Event Broker Appliance (VEBA) solution to enable easy Event-Driven Automation.

Over the past month or so, I have noticed a series of questions from our field and customers across a number of topics pertaining to vSphere accounts including vSphere Single Sign-On (SSO) users. My response to each of these questions all point back to a leveraging specific vSphere Events and I thought I share some of use cases in which vSphere Events can help

  • When was the last time a vSphere SSO user (e.g. *protected email*) password was changed?
  • How much time left (expiry) before the vSphere SSO user password must be changed?
  • Audit of all password changes for an vSphere SSO user (e.g. *protected email*)?
  • Who recently updated the password for a vSphere SSO user (e.g. *protected email*)?
  • When was the last time a vSphere SSO user (e.g. *protected email*) password was reseted?
  • Who recently added new permission to a vSphere user?
  • Who recently removed a permission from a vSphere user?
  • Who recently updated vSphere Role with additional permissions?
  • Who recently updated vSphere Role and removed permissions?

These are just some of the examples that I have come across that can be answered when looking at vSphere Events such as: com.vmware.sso.PrincipalManagement, PermissionAddedEvent, PermissionRemovedEvent, PermissionUpdatedEvent, com.vmware.cis.CreateGlobalPermission and com.vmware.cis.RemoveGlobalPermission. As of vSphere 7.0 Update 3, there are over 1,900+ Events, which you can view here.

Once you have identified a particular vSphere Event, you may be interested in what it contains and for VEBA users, you can leverage the vSphere Event Viewer, which is built right into the VEBA Appliance which uses project called Sockeye. Below is an example of com.vmware.sso.PrincipalManagement event and we can see a number of interesting pieces of information such as the username that performed the password change for the given vSphere SSO user, which is *protected email* along with the date and time.

Using VEBA, not only can you easily consume these vSphere Events, but you can now do more interesting things like sending these audit entries to your security and compliance team, maybe send notification to a shared Slack/Microsoft Teams channels, etc. The use cases are truly endless and you can take advantage of many of the example functions that we have built. If you wish to learn more, check out our VMworld 2021 session VEBA Revolutions - Unleashing the Power of Event-Driven Automation #CODE2773.

Lastly, here are a few of the example payloads for some of the vSphere Events mentioned above.

Password reset and/or change for vSphere SSO User

{
  "Key": 9376716,
  "ChainId": 9376716,
  "CreatedTime": "2021-10-14T14:53:48.854999Z",
  "UserName": "*protected email*",
  "Datacenter": null,
  "ComputeResource": null,
  "Host": null,
  "Vm": null,
  "Ds": null,
  "Net": null,
  "Dvs": null,
  "FullFormattedMessage": "Principal Management event by *protected email* at 10/14/2021 14:52:32 GMT : Resetting local person user 'veba-ui' password",
  "ChangeTag": "",
  "EventTypeId": "com.vmware.sso.PrincipalManagement",
  "Severity": "info",
  "Message": "",
  "Arguments": [
    {
      "Key": "userName",
      "Value": "*protected email*"
    },
    {
      "Key": "description",
      "Value": "Resetting local person user 'veba-ui' password"
    },
    {
      "Key": "userIp",
      "Value": ""
    },
    {
      "Key": "timestamp",
      "Value": "10/14/2021 14:52:32 GMT"
    },
    {
      "Key": "_sourcehost_",
      "Value": "vcsa.primp-industries.local"
    }
  ],
  "ObjectId": "",
  "ObjectType": "",
  "ObjectName": "",
  "Fault": null
}

Adding a vSphere Permission

{
    "Key": 9380117,
    "ChainId": 9380117,
    "CreatedTime": "2021-10-16T14:42:58.142Z",
    "UserName": "VSPHERE.LOCAL\\Administrator",
    "Datacenter": null,
    "ComputeResource": null,
    "Host": null,
    "Vm": null,
    "Ds": null,
    "Net": null,
    "Dvs": null,
    "FullFormattedMessage": "Permission created for VSPHERE.LOCAL\\readonly-svc on Datacenters, role is Administrator, propagation is Enabled",
    "ChangeTag": "",
    "Entity": {
      "Name": "Datacenters",
      "Entity": {
        "Type": "Folder",
        "Value": "group-d1"
      }
    },
    "Principal": "VSPHERE.LOCAL\\readonly-svc",
    "Group": false,
    "Role": {
      "RoleId": -1,
      "Name": "Administrator"
    },
    "Propagate": true
  }


Removing a vSphere Permission

{
  "Key": 9380134,
  "ChainId": 9380134,
  "CreatedTime": "2021-10-16T14:44:41.637Z",
  "UserName": "VSPHERE.LOCAL\\Administrator",
  "Datacenter": null,
  "ComputeResource": null,
  "Host": null,
  "Vm": null,
  "Ds": null,
  "Net": null,
  "Dvs": null,
  "FullFormattedMessage": "Permission rule removed for VSPHERE.LOCAL\\readonly-svc on Datacenters",
  "ChangeTag": "",
  "Entity": {
    "Name": "Datacenters",
    "Entity": {
      "Type": "Folder",
      "Value": "group-d1"
    }
  },
  "Principal": "VSPHERE.LOCAL\\readonly-svc",
  "Group": false
}

More from my site

  • NSX Alarms in vCenter Server using vSphere Events in vSphere 8
  • Heads Up - Potential missing vCenter Server Events due to sequence ID overflow
  • vSphere Event-Driven Automation using VMware Event Router on VMware Cloud on AWS with Knative or AWS EventBridge
  • Integrating VMware Event Broker Appliance (VEBA) with Zapier
  • How to configure Knative and containerd in VMware Event Broker Appliance (VEBA) to use a private registry?

Categories // Automation, vSphere Tags // global permission, password, permission, VMware Event Broker Appliance

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • vSphere with Tanzu using Intel Arc GPU 01/26/2023
  • Quick Tip - Automating allowed and not allowed Datastores for use with vSphere Cluster Services (vCLS) 01/25/2023
  • ESXi with Intel Arc 750 / 770 GPU 01/24/2023
  • How to bootstrap vSAN Express Storage Architecture (ESA) on unsupported hardware? 01/19/2023
  • Automating Virtual Machine screenshots in vSphere 01/18/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...