Skip to main content

VMware vSphere

Description

The VMware vSphere connector uses the vSphere Automation REST API over HTTPS with session-based authentication to discover privileged accounts on a vCenter Server (or, for basic reachability testing, a standalone ESXi host). It enumerates vCenter Server Appliance local accounts and their assigned VAMI roles (superAdmin / admin / operator), and catalogues the vCenter inventory RBAC roles (Administrator, ReadOnly, and any custom roles) for KRI and compliance visibility.

System Type Classification

FieldValue
System TypeInfrastructure
Default Scan Priority500

Version Support

OrbisID EditionSupported
CommunityNo
ProYes
EnterpriseYes

Supported Protocol

ProtocolPortNotes
vSphere Automation REST API (HTTPS)443 TCPSession-based authentication (POST /api/session); self-signed certificates are accepted

What OrbisID Discovers

DataSource
vCenter Server Appliance local accountsGET /api/appliance/local-accounts + GET /api/appliance/local-accounts/{username}
VAMI account roles (superAdmin, admin, operator)roles field per local account
vCenter inventory RBAC role catalogueGET /api/vcenter/authorization/roles
MembershipsLocal account → assigned VAMI role (direct)
note

GET /api/appliance/local-accounts is specific to the vCenter Server Appliance (VCSA) management interface. It is not present on a standalone ESXi host or a Windows-based vCenter Server — OrbisID detects this (HTTP 404) and skips local-account discovery without failing the scan, while still cataloguing the vCenter authorization role list where available.

Connection Requirements

Required Permissions

The scanning credential must be able to authenticate to the vSphere Automation API and read appliance/authorization data.

Minimum permissions:

  • A vCenter Single Sign-On user (e.g. svc-orbisid@vsphere.local) with the built-in Administrator or Read-only vCenter role, sufficient to call GET /api/vcenter/authorization/roles
  • For VAMI local-account discovery: a vCenter Server Appliance account with permission to read /api/appliance/local-accounts (typically the appliance root account or a VAMI admin/operator account)

Credential Mapping

OrbisID FieldValue
credential.usernamevSphere / VAMI username (e.g. administrator@vsphere.local)
credential.passwordvSphere / VAMI password
system.hostnamevCenter Server (or ESXi host) FQDN or IP address

Network Requirements

The OrbisID server (or an assigned On-Premise Scan Agent) must have HTTPS access to the vCenter Server management interface on port 443. vCenter Server and ESXi commonly present self-signed TLS certificates — OrbisID accepts these automatically.

Configuration Steps

  1. Create a dedicated read-only service account in vCenter Single Sign-On (Administration → Single Sign On → Users and Groups).
  2. Assign the account the Read-only (or Administrator, for full VAMI local-account visibility) role at the vCenter root object.
  3. Create a Credential in OrbisID:
    • Username: vSphere SSO username (e.g. svc-orbisid@vsphere.local)
    • Password: vSphere password
  4. Navigate to Systems → Add System.
  5. Fill in the fields:
FieldValue
NameDescriptive name (e.g., vCenter – Production)
OS TypeVmwareVsphere
System TypeInfrastructure
HostnamevCenter Server FQDN or IP address
CredentialThe scanning credential
  1. Click Test Connection.
  2. Click Save.

Troubleshooting

SymptomLikely CauseResolution
Authentication failedInvalid credentialsVerify username (including @vsphere.local or SSO domain suffix) and password
vSphere API error 403Insufficient role assignmentGrant the scanning account at least the Read-only vCenter role
No local accounts discoveredTarget is a standalone ESXi host or Windows-based vCenterExpected — VAMI local-account discovery only applies to the vCenter Server Appliance
Cannot connectvSphere Automation API not reachableConfirm HTTPS (443) connectivity to the vCenter Server management interface and that no proxy/firewall is blocking /api/session