Appliance APIs requires the users to be part of certain local groups or SSO groups based on the privilege required. If any user not part of these groups tries to access the APIs they’ll get 403 unauthorised error

vCenter 7.x and above

As per Appliance APIs requirement users/groups should be part of certain SSO group or local group to be able to invoke the APIs. Appliance APIs has 3 major privilege groups: operator (Most of the GET APIs are accessible) admin (Except few disruptive APIs all remaining APIs are accessible) superAdmin (All APIs are accessible and has full access to VAMI UI and has access to bash shell) 

For Local Users either localaccounts API or user.add command from appliancesh can be used to add the user to any of the required group with --role option

For SSO Users the users has to be part of the SSO group as per privilege requirement:

• operator - SystemConfiguration.ReadOnly
• admin - SystemConfiguration.Administrators
• superAdmin - SystemConfiguration.BashShellAdministrators

Groups in the vCenter Single Sign-On Domain