Home > Blogs > VMware PowerCLI Blog


Managing vSphere Permissions with PowerCLI

vCenter Server and ESX/ESXi hosts determine the level of access for the user by reading the permissions that are assigned to the user. The combination of user name, password, and permissions authorizes the user to perform activities on vSphere server objects.

PowerCLI 4.0 U1 introduced a full set of cmdlets for managing vSphere permissions:

Name
Description
Retrieves the permissions defined on the specified inventory objects
Creates new permissions on the specified inventory objects for the provided users and groups in the role.
Modifies the properties of the specified permissions.
Removes the specified permissions.
Retrieve the privilege groups and items for the provided servers.
Retrieves all roles defined on the provided servers.
Creates a new role on the specified servers and applies the provided privileges.
Modifies the privileges of the provided roles.
Removes the specified roles.

By using these cmdlets, you can fully automate the setup of vSphere permissions.

The example below shows a sample scenario how to create a custom role and set permissions to a user.

First, you can get the privileges of the read-only role. A role is a predefined set of privileges. Privileges define basic individual rights required to perform actions and read properties.

To create a new role with custom privileges, use New-VIRole.

You can check the list of roles on the server including newly created role:

If you want to add more privileges to the newly created role just use the Set-VIRole cmdlet:

The privileges on the updated role can be examined by using Get-VIPrivilege with the Role parameter:

We already have a custom created role, so we can grant a permission to a user. We’ll apply permissions to a vSphere root object and propagate them across the hierarchy:

Note that the Principal parameter supports local users and groups as well as domain users/groups if the vSphere server is joined in AD.

As you noticed, we’ve granted a read-only permission, so we need to update Role of the newly created permission with our custom role:

These are the simple steps how to create a new role and grant permissions to a user.

If you want to remove permission, you can just use the Remove-VIPermission cmdlet

and Remove-VIRole to remove your custom role:

13 thoughts on “Managing vSphere Permissions with PowerCLI

  1. Doug Crist

    This is good stuff. Thanks very much.
    I’m trying to add a permission while connected to an ESXi host with an Entity of “domain\group”. It says it can’t find the VIAccount by that name. I can do this using the vSphere client, but was hoping to script it since I have to apply it to multiple hosts.
    Thanks,
    Doug

    Reply
  2. Doug Crist

    Oops. I should have added that the ESXi host is a member of that AD domain.

    Reply
  3. Doug Crist

    I’m not sure what happened to my first post, to which the ‘oops’ was a correction. So here goes again.
    I can add a permission for a “domain\group” using the vSphere client. When I try the New-VIPermission and use “domain\group” as the -Principal it says it can’t find the VIAccount by that name. Since I have multiple ESXi hosts to update I was hoping to get the script to work.
    Thanks,
    Doug

    Reply
  4. Andras Jakab

    Same here. I would hear too the solution for Doug’s problem.
    Thanks,
    Andras

    Reply
    1. Andras Jakab

      I think it’s expecting user, not a group. If you check the permissions with Get-VIPermission -Entity $YourVIServer, the 4th column is the ‘IsGroup’, which might required to make difference from the two object. Therefore the New-VIPermission cmdlet should have a “-IsGroup” boolean parameter to set this permission – but it hasn’t.

      Reply
      1. Andras Jakab

        BTW here’s an alternative method to add a domain group locally to a domain joined ESXi. You must be connected directly and only to the ESXi host not to a vCenter.

        ###
        $Role = “ReadOnly”
        $groupName = “ContosoDomain\VMwareADGroup”

        $currhost = Get-VMHost | % {Get-View $_.Id}
        $authmgr = Get-View $currhost.Client.ServiceContent.AuthorizationManager
        $perm = New-Object VMware.VIM.Permission
        $perm.Principal = $groupName
        $perm.group = $true
        $perm.propagate = $true
        $perm.RoleId = ($authmgr.RoleList | where {$_.Name -eq $Role}).RoleId
        $authmgr.SetEntityPermissions($currhost.parent,$perm)
        ###

        You can check the available role names with this:
        ###
        $currhost = Get-VMHost | % {Get-View $_.Id}
        (Get-View $currhost.Client.ServiceContent.AuthorizationManager).RoleList | Select Name
        ###

        Hope this helps for someone.

        Reply
  5. Andras Jakab

    Sadly the code above will not work like it should be. If you check the authorization.xml in the host’s /etc/vmware/hostd folder, you can see that the root user has an Administrator role (ID is -1) for the entity ha-root-folder. The code creates three other registration, but none of them for ha-root-folder. Without it, you will be able to log in locally with your domain account, but unable to create or even see local users, or modify any permission. =(

    Reply
  6. Granville

    how would I update a role? I have a Jr Admin role that I need to turn on Virtual machine > configuration > add or remove device

    Reply
    1. Granville

      I forget I have 92 vcenters I need to do this on

      Reply
  7. Evan

    You need to use (Get-View Datacenter-ha-datacenter).Parent instead. So….

    $authmgr = Get-View AuthorizationManager-ha-authmgr
    $perm = New-Object VMware.VIM.Permission
    $perm.group = $true
    $perm.propagate = $true
    $perm.Principal = “YOURDOMAIN\GSG-PCVMHosts-EnterpriseAdmins”
    $perm.RoleId = ($authmgr.RoleList | where {$_.Name -eq “Admin”}).RoleId
    $authmgr.SetEntityPermissions((Get-View Datacenter-ha-datacenter).Parent,$perm)

    Reply
  8. Evan

    And for creating a new role and giving it permissions using a VM Host that already has the role:

    Connect-VIServer $CurrentVMHost
    $HelpdeskRole = Get-VIRole -Name “Helpdesk Admins”
    Disconnect-VIServer $CurrentVMHost -Confirm:$false | Out-Null

    Connect-VIServer $NewVMHost -User root -Password “*********” -WarningAction SilentlyContinue | Out-Null

    Write-Verbose -Message “Creating ‘Helpdesk Admins’ Custom Security Group on [$NewVMHostName]” -Verbose
    New-VIRole $HelpdeskRole | Out-Null

    Write-Verbose -Message “Configuring Permissions on ‘Helpdesk Admins’ Custom Security Group on [$NewVMHostName]” -Verbose
    Set-VIRole –Role (Get-VIRole -Name “Helpdesk Admins”) -AddPrivilege (Get-VIPrivilege -Id $HelpdeskRole.PrivilegeList) | Out-Null

    Reply
  9. musclemeds

    PharmaEսrope.netsells гeal ⅼegit anabolic steroids. Ꭺll their stuff is authentic
    and of very high quaⅼity –
    here you cɑnn buy testosteгone, ɑnadrol, trenbolone, human growth hormone, cytomеl, T3, and more withoսt prescription

    Reply
  10. arlan falk

    Hi, is there a way to take all accesses in an environment that have role-a and move them to role-b. i now have 3 roles that are identical and need to consolidate them to one.
    thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*