Skip to content

esxi/manage-users

Set the ESXi software install acceptance level.

This Param allows an operator to manage local (only) users on an ESXi host. Supported operations are to add, remove, and set (change).

The data structure specified in the Param esxi/manage-users is an array of objects with fields id, description, password, role, and an operation to perform. An example in YAML:

- id: user1
  operation: add
  description: User One
  password: S3cr3tP455!
  role: Admin
- id: user2
  operation: set
  password: S3cr3tP455!
  role: ReadOnly
- id: user1
  operation: set
  password: S3cr3tP455!
  role: NoAccess
- id: user1
  operation: remove
- id: user2
  operation: remove

The same example in JSON:

[
  { "id": "user1", "operation": "add", "description": "User One", "password": "S3cr3tP455!", "role": "Admin" },
  { "id": "user2", "operation": "set", "password": "S3cr3tP455!", "role": "ReadOnly" },
  { "id": "user1", "operation": "set", "password": "S3cr3tP455!", "role": "NoAccess" },
  { "id": "user1", "operation": "remove" },
  { "id": "user2", "operation": "remove" }
]

The only supported operations and associated requirements are:

  • add: add a new user to system, will modify (eg 'set') if exists already; requires id, operation, password, and role
  • remove: remove a user if exists, does not error if user does not exist; requires id and operation
  • set: changes an exiting user description, role, or password, performs add if user doesn't exist already requires id, operation, password, and role

An empty description field will result in the ESXi system default description of ESXi User being set on add and set operations.

Passwords (if specified) MUST correctly conform to the current ESXi system password complexity requirements. If they do not, an error will occur, and Task processing will immediately exit on error.

The only allowed values for role are:

  • Admin: Full access rights
  • NoAccess: Used for restricting granted access. E.g. to deny access for some user whose group already has access.
  • ReadOnly: See details of objects, but not make changes

These are specified by VMware and no other roles can be set via the command line.

It is not possible to modify the root and dcui users, and as such; if specified, those users will be ignored and the rest of the specified users will be processed. The actual list of ignored users is specified in the Param esxi/manage-users-ignore-list.