Roles, privileges, permissions and PowerCLI

Having the appropriate access levels assigned to each user or group helps mitigate the security concerns as well as lowers the risk of human error. You certainly don’t want people other than VMware admins to mess with hosts, clusters, virtual switches or the storage. There are some predefined Roles which are applicable in most cases and also many examples of custom Roles over the Internet. This article is not going to focus on that, but instead it will help you to speed up Roles and Permissions provisioning across ESXi hosts or vCenter Servers using PowerCLI.

A quick recap on the terminology. As per VMware definitions:

  • Privilege – The ability to perform a specific action or read a specific property.
  • Role – A collection of privileges. Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task.
  • Permission – consists of a user or group and an assigned role for an inventory object.

Below are a few examples of managing Roles and Permission with PowerCLI. The scripts are pretty basic and easy to read. Main idea is that you can use them as reference to address your needs.

  1. Scenario A – View currently assigned permissions

    Use case example: Loop through set of ESXi hosts to validate the access levels set.
  2. Scenario B – Assign permissions

    Use case example: Grant AD group permissions on ESXi level. In case of vCenter Server outage the support teams will be able to manage their VMs connecting directly to ESXi host. The example below also includes creating new custom role.
  3. Scenario C – Duplicate custom role from one vCenter Server to another
    Use case example: Save time and ensure consistent custom role privileges between your vCenter Servers.

All scripts are provided AS IS. Even tested and proven to work, they need to be adjusted to fit your needs as every environment and requirements are different.

Your ideas and comments are always welcome!

The following two tabs change content below.

Ivaylo Ivanov

Ivaylo has 5 years of professional IT experience. Most of it in server administration area, network and virtualization technologies. From 2014 he specializes in VMware products family. He holds VCIX6-DCV and VCP7-CMA certifications. vExpert 2016/2017

Latest posts by Ivaylo Ivanov (see all)

About Ivaylo Ivanov

Ivaylo has 5 years of professional IT experience. Most of it in server administration area, network and virtualization technologies. From 2014 he specializes in VMware products family. He holds VCIX6-DCV and VCP7-CMA certifications. vExpert 2016/2017
Bookmark the permalink.

Comments are closed