Having the appropriate access levels assigned to each user or group helps mitigate the security concerns as well as lowers the risk of human error. You certainly don’t want people other than VMware admins to mess with hosts, clusters, virtual switches or the storage. There are some predefined Roles which are applicable in most cases and also many examples of custom Roles over the Internet. This article is not going to focus on that, but instead it will help you to speed up Roles and Permissions provisioning across ESXi hosts or vCenter Servers using PowerCLI.
A quick recap on the terminology. As per VMware definitions:
- Privilege – The ability to perform a specific action or read a specific property.
- Role – A collection of privileges. Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task.
- Permission – consists of a user or group and an assigned role for an inventory object.
Below are a few examples of managing Roles and Permission with PowerCLI. The scripts are pretty basic and easy to read. Main idea is that you can use them as reference to address your needs.
- Scenario A – View currently assigned permissions
Get-ViPermission –Entity *inventory object*
Use case example: Loop through set of ESXi hosts to validate the access levels set.
Add-PSSnapin VMware.VimAutomation.Core -ErrorAction SilentlyContinue #################### #Get list of ESXi hosts $vCenter = Read-Host -prompt "Enter vCenter Server instance" Connect-VIServer -Server $vCenter $ClusterName = Read-Host -prompt "Enter cluster name" $hosts = @() Get-VMHost -Location $ClusterName | Sort Name | % { $hosts+= $_.Name } Disconnect-VIServer -Confirm:$False $count=0 foreach ($vmhost in $hosts) { $count+=1 Write-host "Connecting to $vmhost..." -foregroundcolor "yellow" Connect-VIServer -server $vmhost -user 'root' -password 'VMware1!' Get-VIPermission -Entity $vmhost | select Role, Principal if ($count -lt $hosts.count) { Read-Host -prompt "Press Enter to move to the next host"} Disconnect-VIServer -Confirm:$False } - Scenario B – Assign permissions
New-VIPermission -Entity *inventory object* -Principal *user or group* -Role *role name*
Use case example: Grant AD group permissions on ESXi level. In case of vCenter Server outage the support teams will be able to manage their VMs connecting directly to ESXi host. The example below also includes creating new custom role.
Add-PSSnapin VMware.VimAutomation.Core -ErrorAction SilentlyContinue ###Set parameters### $ADGroup = "vlab\ESXiAdmins" $Role = "Admin" #################### #Get list of ESXi hosts $vCenter = Read-host -prompt "Enter vCenter Server instance" Connect-VIServer -Server $vCenter $ClusterName = Read-Host -prompt "Enter cluster name" $hosts = @() Get-VMHost -Location $ClusterName | sort Name | % { $hosts+= $_.Name } Disconnect-VIServer -confirm:$false foreach ($vmhost in $hosts) { write-host "Connecting to $vmhost..." -foregroundcolor "yellow" Connect-VIServer -Server $vmhost write-host "Assigning $Role permissions to $ADGroup" -foregroundcolor "yellow" New-VIPermission -Entity $vmhost -Principal $ADGroup -Role $Role write-host "Creating custom Role and assigning permissions" -foregroundcolor "yellow" New-VIRole -Name "CIM Only" -Privilege "CIM interaction","System Management" New-VIPermission -Entity $vmhost -Principal "vlab\serviceAccount" -Role "CIM Only" Disconnect-VIServer -confirm:$false } - Scenario C – Duplicate custom role from one vCenter Server to another
Use case example: Save time and ensure consistent custom role privileges between your vCenter Servers.Add-PSSnapin VMware.VimAutomation.Core -ErrorAction SilentlyContinue $vCenter = Read-Host -prompt "Enter source vCenter Server instance" Write-host "Connecting to $vCenter..." -foregroundcolor "yellow" Connect-VIServer -server $vCenter $sourceRole = $null $sourceRoleName = Read-Host -prompt "Enter source role name" while ($sourceRole -eq $null) { Write-host "Querying for role $sourceRoleName..." -foregroundcolor "yellow" $sourceRole = Get-VIRole -Name $sourceRoleName -ErrorAction SilentlyContinue If ($sourceRole -eq $null) {$sourceRoleName = Read-Host "No such role. Please provide valid role name"} } Write-host "Role $sourceRoleName found" -foregroundcolor "yellow" Write-host "Disconnecting from $vCenter..." -foregroundcolor "yellow" Disconnect-VIServer -Confirm:$false $vCenterTarget = Read-Host -prompt "Enter target vCenter Server instance" Write-host "Connecting to $vCenterTarget..." -foregroundcolor "yellow" Connect-VIServer -server $vCenterTarget $override = $null If (Get-VIRole -Name $sourceRole.Name -ErrorAction SilentlyContinue) { while($override -ne "y") { $override = Read-Host -prompt "Role with such name already exists. Do you want to override? This will remove any existing permissions associated with this role name. (y/n)" If ($override -eq "n") {break} } } else { Write-Host "Creating $sourceRole role on $vCenterTarget..." -foregroundcolor "yellow" New-VIRole -Name $sourceRole.Name Set-VIRole -Role (Get-VIRole -Name $sourceRole.Name) -AddPrivilege (Get-VIPrivilege -Id $sourceRole.PrivilegeList) Write-Host "Role $sourceRole created on $vCenterTarget" } If ($override -eq "y") { Write-Host "Overwriting $sourceRole ..." -foregroundcolor "yellow" Remove-VIRole -Role (Get-VIRole -Name $sourceRole.Name) -Force:$true -Confirm:$false New-VIRole -Name $sourceRole.Name Set-VIRole -Role (Get-VIRole -Name $sourceRole.Name) -AddPrivilege (Get-VIPrivilege -Id $sourceRole.PrivilegeList) Write-Host "Role $sourceRole re-created on $vCenterTarget"-foregroundcolor "yellow" } elseif ($override -eq "n") { Write-Host "No changes made" -foregroundcolor "yellow" } Write-host "Disconnecting from $vCenterTarget..." -foregroundcolor "yellow" Disconnect-VIServer -Confirm:$false
All scripts are provided AS IS. Even tested and proven to work, they need to be adjusted to fit your needs as every environment and requirements are different.
Your ideas and comments are always welcome!
Ivaylo Ivanov
Latest posts by Ivaylo Ivanov (see all)
- Runecast Analyzer plugin for vRO - September 11, 2017
- Unattended Deployment and Configuration of OVA - August 8, 2017
- Point to vAPI Endpoint with JavaScript in vRO - February 15, 2017
Excellent Script Thanks a lot