Home > Blogs > VMware PowerCLI Blog > Monthly Archives: November 2010

Monthly Archives: November 2010

Managing vSphere Permissions with PowerCLI

vCenter Server and ESX/ESXi hosts determine the level of access for the user by reading the permissions that are assigned to the user. The combination of user name, password, and permissions authorizes the user to perform activities on vSphere server objects.

PowerCLI 4.0 U1 introduced a full set of cmdlets for managing vSphere permissions:

Name
Description
Retrieves the permissions defined on the specified inventory objects
Creates new permissions on the specified inventory objects for the provided users and groups in the role.
Modifies the properties of the specified permissions.
Removes the specified permissions.
Retrieve the privilege groups and items for the provided servers.
Retrieves all roles defined on the provided servers.
Creates a new role on the specified servers and applies the provided privileges.
Modifies the privileges of the provided roles.
Removes the specified roles.

By using these cmdlets, you can fully automate the setup of vSphere permissions.

The example below shows a sample scenario how to create a custom role and set permissions to a user.

First, you can get the privileges of the read-only role. A role is a predefined set of privileges. Privileges define basic individual rights required to perform actions and read properties.

$readOnlyPrivileges = Get-VIPrivilege -Role readonly 

To create a new role with custom privileges, use New-VIRole.

$myRole = New-VIRole -Privilege $readOnlyPrivileges -Name MyRole 

You can check the list of roles on the server including newly created role:

Get-VIRole

If you want to add more privileges to the newly created role just use the Set-VIRole cmdlet:

$powerOnPrivileges = Get-VIPrivilege -Name "Power On" 
$myRole = Set-VIRole –Role $myRole –AddPrivilege $powerOnPrivileges

The privileges on the updated role can be examined by using Get-VIPrivilege with the Role parameter:

Get-VIPrivilege -Role $myRole

We already have a custom created role, so we can grant a permission to a user. We’ll apply permissions to a vSphere root object and propagate them across the hierarchy:

$rootFolder = Get-Folder -NoRecursion
$myPermission = New-VIPermission -Entity $rootFolder -Principal "myuser" -Role readonly -Propagate:$true

Note that the Principal parameter supports local users and groups as well as domain users/groups if the vSphere server is joined in AD.

As you noticed, we’ve granted a read-only permission, so we need to update Role of the newly created permission with our custom role:

$myPermission = Set-VIPermission -Permission $myPermission -Role $myRoleRemove permission

These are the simple steps how to create a new role and grant permissions to a user.

If you want to remove permission, you can just use the Remove-VIPermission cmdlet

Remove-VIPermission $myPermission

and Remove-VIRole to remove your custom role:

Remove-VIRole MyRole

PowerCLI Presentation available from Portland VMUG Meeting

Folks,

In case you wanted to review Alton's presentation at last weeks Portland VMUG see attached.

Alton-Portland-1
Users getting ready to hear Alton's Session.

Portland-powercli-vmug

Download POWERCLI VMUG Alton Yu

VMworld 2010 – PowerCLI Lab Manual for your reading pleasure – Alton Yu

PoweCLI Fans,

We have had many requests for the PowerCLI Lab Manual – Please see attached in Word. We also plan on revising the Lab for VMworld 2011. Please let us know if you have any feedback or suggestions for improvements.

Enjoy,

Alton Yu – VMworld PowerCLI Lab Captain

Lab
Download VMworld_2010_PowerCLI_Lab_Final

Still Not a PowerCLI User? 10 Solid Reasons to Become a Better Professional!

1. Cutting edge technology

PowerCLI is a cutting edge technology based on the Microsoft PowerShell. Currently PowerShell is recognized as the most advanced shell environment. PowerCLI utilizes all of the PowerShell’s great features in addition to virtualization-related business logic and this makes it the leader of vSphere automation tools.

2. Saves hundreds of hours

Regardless the size of the environment you manage, it usually takes a lot of time doing repetitive tasks. With PowerCLI you can automate all of the boring processes and focus on the real issues.

3. Easy to learn

You don’t need to be a scripting guru to use PowerCLI. Actually, you don’t need a scripting background at all. As one of the users said when he first tried PowerCLI, “Using PowerCLI is more like talking to your virtual environment”. And if you have troubles you can always check our Cmdlet Reference and Administration Guide.

4. Community

A large number of VMware and independent experts are ready to assist you in any situation. Usually, you receive the solution within a couple of minutes after posting your question.

5. Community extensions

Our most advanced users have written a lot of scripts that help them in solving daily issues.  You can download them for free and start using them right away.

6. Stable, reliable, and user-friendly

We’ve been developing PowerCLI for 3 years and in that time we’ve made 5 releases. For all these years we’ve been working hard on improving the quality and usability of the product.

7. Scalable

In all our releases we dedicate a lot of efforts improving the performance. We’ve done a lot of tests on large environments to be sure the product is fast enough for big environments.

8. User-driven product

Most of our features are requested by customers. We believe that a product should follow the customer needs.

9. All-in-one solution

PowerCLI allows you to do practically everything you need to administrate a vSphere environment:

  • Initial setup
  • Host configuration
  • Guest OS customization
  • Maintenance
  • Reporting
  • Monitoring

10. Free

PowerCLI is free. All you need to do is register and download.

Feel free to share thoughts.

Cheers,
Nedko