If you have used vSphere API and read its API Reference, you may have noticed two most commonly used privileges: System.View and System.Read. They are required in many methods. As their names suggest they are different, but what is the difference? It can be confusing for some people including me initially because it’s nowhere documented.
Here are some explanations after my talking to my colleague Jianping Yang who is the vCenter DB and Security guru.
Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.
- The System.View privilege is used to navigate from the root folder (Note: you can find it from the ServiceContent data object in ServiceInstance ) to the object that a user has the permission on even if the user does not have any permissions on the objects in that navigation path.
- If a user has any permission on an object, the user will have the System.Read privilege on that object, and for its parent objects in the inventory tree, the user will have the System.View privilege.