VMware vSphere
Description
The VMware vSphere connector uses the vSphere Automation REST API over HTTPS with session-based authentication to discover privileged accounts on a vCenter Server (or, for basic reachability testing, a standalone ESXi host). It enumerates vCenter Server Appliance local accounts and their assigned VAMI roles (superAdmin / admin / operator), and catalogues the vCenter inventory RBAC roles (Administrator, ReadOnly, and any custom roles) for KRI and compliance visibility.
System Type Classification
| Field | Value |
|---|---|
| System Type | Infrastructure |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| vSphere Automation REST API (HTTPS) | 443 TCP | Session-based authentication (POST /api/session); self-signed certificates are accepted |
What OrbisID Discovers
| Data | Source |
|---|---|
| vCenter Server Appliance local accounts | GET /api/appliance/local-accounts + GET /api/appliance/local-accounts/{username} |
VAMI account roles (superAdmin, admin, operator) | roles field per local account |
| vCenter inventory RBAC role catalogue | GET /api/vcenter/authorization/roles |
| Memberships | Local account → assigned VAMI role (direct) |
GET /api/appliance/local-accounts is specific to the vCenter Server Appliance (VCSA) management interface. It is not present on a standalone ESXi host or a Windows-based vCenter Server — OrbisID detects this (HTTP 404) and skips local-account discovery without failing the scan, while still cataloguing the vCenter authorization role list where available.
Connection Requirements
Required Permissions
The scanning credential must be able to authenticate to the vSphere Automation API and read appliance/authorization data.
Minimum permissions:
- A vCenter Single Sign-On user (e.g.
svc-orbisid@vsphere.local) with the built-in Administrator or Read-only vCenter role, sufficient to callGET /api/vcenter/authorization/roles - For VAMI local-account discovery: a vCenter Server Appliance account with permission to read
/api/appliance/local-accounts(typically the appliancerootaccount or a VAMIadmin/operatoraccount)
Credential Mapping
| OrbisID Field | Value |
|---|---|
credential.username | vSphere / VAMI username (e.g. administrator@vsphere.local) |
credential.password | vSphere / VAMI password |
system.hostname | vCenter Server (or ESXi host) FQDN or IP address |
Network Requirements
The OrbisID server (or an assigned On-Premise Scan Agent) must have HTTPS access to the vCenter Server management interface on port 443. vCenter Server and ESXi commonly present self-signed TLS certificates — OrbisID accepts these automatically.
Configuration Steps
- Create a dedicated read-only service account in vCenter Single Sign-On (Administration → Single Sign On → Users and Groups).
- Assign the account the Read-only (or Administrator, for full VAMI local-account visibility) role at the vCenter root object.
- Create a Credential in OrbisID:
- Username: vSphere SSO username (e.g.
svc-orbisid@vsphere.local) - Password: vSphere password
- Username: vSphere SSO username (e.g.
- Navigate to Systems → Add System.
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., vCenter – Production) |
| OS Type | VmwareVsphere |
| System Type | Infrastructure |
| Hostname | vCenter Server FQDN or IP address |
| Credential | The scanning credential |
- Click Test Connection.
- Click Save.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
Authentication failed | Invalid credentials | Verify username (including @vsphere.local or SSO domain suffix) and password |
vSphere API error 403 | Insufficient role assignment | Grant the scanning account at least the Read-only vCenter role |
| No local accounts discovered | Target is a standalone ESXi host or Windows-based vCenter | Expected — VAMI local-account discovery only applies to the vCenter Server Appliance |
| Cannot connect | vSphere Automation API not reachable | Confirm HTTPS (443) connectivity to the vCenter Server management interface and that no proxy/firewall is blocking /api/session |