Roles, privileges, permissions and PowerCLI

Share this:

Having the appropriate access levels assigned to each user or group helps mitigate the security concerns as well as lowers the risk of human error. You certainly don’t want people other than VMware admins to mess with hosts, clusters, virtual switches or the storage. There are some predefined Roles which are applicable in most cases and also many examples of custom Roles over the Internet. This article is not going to focus on that, but instead it will help you to speed up Roles and Permissions provisioning across ESXi hosts or vCenter Servers using PowerCLI.

A quick recap on the terminology. As per VMware definitions:

  • Privilege – The ability to perform a specific action or read a specific property.
  • Role – A collection of privileges. Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task.
  • Permission – consists of a user or group and an assigned role for an inventory object.

Below are a few examples of managing Roles and Permission with PowerCLI. The scripts are pretty basic and easy to read. Main idea is that you can use them as reference to address your needs.

  1. Scenario A – View currently assigned permissions
    Get-ViPermission –Entity *inventory object*

    Use case example: Loop through set of ESXi hosts to validate the access levels set.

    Add-PSSnapin VMware.VimAutomation.Core -ErrorAction SilentlyContinue
    ####################
    #Get list of ESXi hosts
    $vCenter = Read-Host -prompt "Enter vCenter Server instance"
    Connect-VIServer -Server $vCenter
    $ClusterName = Read-Host -prompt "Enter cluster name"
    $hosts = @()
    Get-VMHost -Location $ClusterName | Sort Name | % { $hosts+= $_.Name }
    
    Disconnect-VIServer -Confirm:$False
    
    $count=0
    foreach ($vmhost in $hosts) {
        $count+=1
    	Write-host "Connecting to $vmhost..." -foregroundcolor "yellow"
    	Connect-VIServer -server $vmhost -user 'root' -password 'VMware1!'
    	Get-VIPermission -Entity $vmhost | select Role, Principal
    	if ($count -lt $hosts.count) { Read-Host -prompt "Press Enter to move to the next host"}
    	Disconnect-VIServer -Confirm:$False
    }
  2. Scenario B – Assign permissions
    New-VIPermission -Entity *inventory object* -Principal *user or group* -Role *role name*

    Use case example: Grant AD group permissions on ESXi level. In case of vCenter Server outage the support teams will be able to manage their VMs connecting directly to ESXi host. The example below also includes creating new custom role.

    Add-PSSnapin VMware.VimAutomation.Core -ErrorAction SilentlyContinue
    ###Set parameters###
    $ADGroup = "vlab\ESXiAdmins"
    $Role = "Admin"
    ####################
    #Get list of ESXi hosts
    $vCenter = Read-host -prompt "Enter vCenter Server instance"
    Connect-VIServer -Server $vCenter
    $ClusterName = Read-Host -prompt "Enter cluster name"
    $hosts = @()
    Get-VMHost -Location $ClusterName | sort Name | % { $hosts+= $_.Name }
    
    Disconnect-VIServer -confirm:$false
    
    foreach ($vmhost in $hosts) {
    	write-host "Connecting to $vmhost..." -foregroundcolor "yellow"
        Connect-VIServer -Server $vmhost
    	write-host "Assigning $Role permissions to $ADGroup" -foregroundcolor "yellow"
        New-VIPermission -Entity $vmhost -Principal $ADGroup -Role $Role
    	
    	write-host "Creating custom Role and assigning permissions" -foregroundcolor "yellow"
    	New-VIRole -Name "CIM Only" -Privilege "CIM interaction","System Management"
    	New-VIPermission -Entity $vmhost -Principal "vlab\serviceAccount" -Role "CIM Only"
    	
    	Disconnect-VIServer -confirm:$false
    }
  3. Scenario C – Duplicate custom role from one vCenter Server to another
    Use case example: Save time and ensure consistent custom role privileges between your vCenter Servers.

    Add-PSSnapin VMware.VimAutomation.Core -ErrorAction SilentlyContinue
    
    $vCenter = Read-Host -prompt "Enter source vCenter Server instance"
    Write-host "Connecting to $vCenter..." -foregroundcolor "yellow"
    Connect-VIServer -server $vCenter
    
    $sourceRole = $null
    $sourceRoleName = Read-Host -prompt "Enter source role name"
    
    while ($sourceRole -eq $null) {
        Write-host "Querying for role $sourceRoleName..." -foregroundcolor "yellow"
        $sourceRole = Get-VIRole -Name $sourceRoleName -ErrorAction SilentlyContinue
        If ($sourceRole -eq $null) {$sourceRoleName = Read-Host "No such role. Please provide valid role name"}
    }
    
    Write-host "Role $sourceRoleName found" -foregroundcolor "yellow"
    Write-host "Disconnecting from $vCenter..." -foregroundcolor "yellow"
    Disconnect-VIServer -Confirm:$false
    
    $vCenterTarget = Read-Host -prompt "Enter target vCenter Server instance"
    Write-host "Connecting to $vCenterTarget..." -foregroundcolor "yellow"
    Connect-VIServer -server $vCenterTarget
    
    $override = $null
    If (Get-VIRole -Name $sourceRole.Name -ErrorAction SilentlyContinue) {
    
        while($override -ne "y") {
    	$override = Read-Host -prompt "Role with such name already exists. Do you want to override? This will remove any existing permissions associated with this role name. (y/n)"
    	If ($override -eq "n") {break}
        }
    } else {
        Write-Host "Creating $sourceRole role on $vCenterTarget..." -foregroundcolor "yellow"
        New-VIRole -Name $sourceRole.Name
        Set-VIRole -Role (Get-VIRole -Name $sourceRole.Name) -AddPrivilege (Get-VIPrivilege -Id $sourceRole.PrivilegeList)
        Write-Host "Role $sourceRole created on $vCenterTarget"
    }
    
    If ($override -eq "y") {
        Write-Host "Overwriting $sourceRole ..." -foregroundcolor "yellow"
        Remove-VIRole -Role (Get-VIRole -Name $sourceRole.Name) -Force:$true -Confirm:$false
        New-VIRole -Name $sourceRole.Name
        Set-VIRole -Role (Get-VIRole -Name $sourceRole.Name) -AddPrivilege (Get-VIPrivilege -Id $sourceRole.PrivilegeList)
        Write-Host "Role $sourceRole re-created on $vCenterTarget"-foregroundcolor "yellow"
    
    } elseif ($override -eq "n") {
        Write-Host "No changes made" -foregroundcolor "yellow"
    }
    
    Write-host "Disconnecting from $vCenterTarget..." -foregroundcolor "yellow"
    Disconnect-VIServer -Confirm:$false

All scripts are provided AS IS. Even tested and proven to work, they need to be adjusted to fit your needs as every environment and requirements are different.

Your ideas and comments are always welcome!

The following two tabs change content below.

Ivaylo Ivanov

Ivaylo has 5 years of professional IT experience. Most of it in server administration area, network and virtualization technologies. From 2014 he specializes in VMware products family. He holds VCIX6-DCV and VCP7-CMA certifications. vExpert 2016/2017

Latest posts by Ivaylo Ivanov (see all)

About Ivaylo Ivanov

Ivaylo has 5 years of professional IT experience. Most of it in server administration area, network and virtualization technologies. From 2014 he specializes in VMware products family. He holds VCIX6-DCV and VCP7-CMA certifications. vExpert 2016/2017
Bookmark the permalink.

One Comment

  1. Excellent Script Thanks a lot

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.