The ESI Service authorizes every API call based on the Windows identity of the caller. Authorization is granted based on the caller’s role membership. The following Service roles are defined by the ESI Service. If these roles are changed, the ESI Service will not work.
Administrator role group members can invoke configuration commands on the ESI Service and query the Entity Graph for discovered systems and system components.
Monitor role group members can only query the Entity Graph to view discovered systems and system components and set the system refresh interval policy.
The ESI Service Administrator can add principal names (security groups or users) to one of these ESI Service roles. Adding a security principal to a Service role enables the administrator to delegate access control to one or more users who can add or modify members of the group. After you add the group to the Monitor role, any user who belongs to this group can make an ESI Service call.
Note: As an
exception to the role assignments, the ESI Service automatically
grants the Administrator role to the local administrator group on
the host that is running the ESI Service. This allows any local
administrator to manage the ESI Service without being explicitly
added; however, the user must be running elevated credentials if
UAC is enabled.
View the security policy
To view the security policy in one of the following ways:
Open a web browser that supports Windows Authentication and browse to the ESI Service console. If you have changed the default port numbers, replace the following default numbers with your assigned ports:
For an HTTP connection, go to http://localhost:54500/esi/console
For a secured HTTPS connection, go to https://localhost:54501/esi/console
Open a PowerShell command prompt, import the toolkit with the Import-Module ESIServicePSToolkit cmdlet. Then type the following, and press Enter:
Get-EmcServicePolicy
Set the security policy for a user
To view the security policy in one of the following ways:
If necessary, import the ESI Service PowerShell module on the ESI host system. To import the module, open a PowerShell command prompt, type the following, and press Enter:
Import-Module ESIServicePSToolkit
Type the following where you replace <domain name>/<principal name> with the applicable domain name and principal name that you want to add to the Monitor role, and then press Enter:
Add-EmcUser "<domain name>\<principal name>" Monitor
Note: The cmdlet fails if the principal name is invalid. And if you want to add the principal name to the Administrator role, replace Monitor in the command above with Administrator.
