Difference of Two Common Privileges in vSphere API
If you have used vSphere API and read its API Reference, you may have noticed two most commonly used privileges: System.View and System.Read. They are required in many methods. As their names suggest they are different, but what is the difference? It can be confusing for some people including me initially because it’s nowhere documented.
Here are some explanations after my talking to my colleague Jianping Yang who is the vCenter DB and Security guru.
Lost VMs or Containers? Too Many Consoles? Too Slow GUI? Time to learn how to "Google" and manage your VMware and clouds in a fast and secure HTML5 App.
- The System.View privilege is used to navigate from the root folder (Note: you can find it from the ServiceContent data object in ServiceInstance ) to the object that a user has the permission on even if the user does not have any permissions on the objects in that navigation path.
- If a user has any permission on an object, the user will have the System.Read privilege on that object, and for its parent objects in the inventory tree, the user will have the System.View privilege.