Although I come across a fair amount of interesting and challenging questions posed by our customers, I have to say this is certainly one of the more stranger question that continues to surface every so often. The question itself is fairly straight forward, but what I find strange is the reasoning and justifications for needing such a solution.

In case the title was not a give away, the question is having the ability to restrict a set of user(s) from the vSphere UI while still allowing access to the vSphere API for these same user(s). To be clear, the behavior of vSphere is that if you have vSphere UI access, then you also have vSphere API access which is all based on the permissions a user or group has been granted. There is no way to distinguish or limit access between these interfaces including any vSphere SDK or PowerCLI usage which also relies on vSphere API access.

There may be valid use cases for needing such a capability, however from my experience in talking with our customers and field, it feels like this is an attempt to solve organizational and/or process issues. Let give you a few examples that I have come across over the years:

• I need to prevent [team|individual] from using the vSphere UI, because they are not using the internal provisioning tools we have built
• I need to prevent [team|individual] from using the vSphere UI, because they need to learn how to automate using the vSphere API
• I need to prevent [individual] in [team] from using the vSphere UI, because they are making changes to VMs without filing support tickets
• I need to prevent [individual] on my [team] from using the vSphere UI, because they are bypassing our change control policies

[Read more...]