VMware Cloud Community
cno211cno
Contributor
Contributor
Jump to solution

Identifying Role Usage

Here is question that the solution might be quite helpful. Is there a way to create a list of all of the roles and the objects that they are actually assigned to in powershell? I have ran the perl script in the Managing VMware VirtualCenter Roles and Permissions but this script outputs every object and the User/Group and Role associated with it. For my environment it took about 20 min to run and exported about 12,000 objects. What I would like to see is just the Roles that are assigned and the object that it is assigned to and not the child objects. I do not need every object, just the objects that a role is actually assigned to. 12,000 objects is a lot of objects to check for when trying to find discreptancies. For instance, If I have a Role assigned to the Datacenters folder, I would like to see:

#RoleName # #Object Assigned to# #User or Group permission Given to#

Thank all in advance for help.

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

There are several ways to list the inventory of the VI environment.

You can list the 2 branches ("Host and Clusters" and "Virtual Machines and Templates"), similar to what the VI client shows.

See for example

Or you can use the list returned by the Get-Inventory cmdlet.

The sample script below uses the Get-Inventory cmdlet.

It filters out the hidden folders called "vm" and "host" since you normally can't define permissions for these.


filter Get-Permissions{
    $report = @()
	$object = Get-View -Id $_.ID
	if($object.Name -ne "vm" -and $object.Name -ne "host"){
		$path = get-path $object
		$perms = $authMgr.RetrieveEntityPermissions($object.MoRef, $false)

		if($perms.Count -gt 0){
		  foreach($perm in $perms){
		    foreach($role in $authMgr.RoleList){
                      if($role.RoleId -eq $perm.RoleId){
                        $row = "" | select roleName, objName, principalName
		        $row.roleName = $role.Name
		        $row.objName = $path
		        $row.principalName = $perm.Principal
		        $report += $row
		      }
	          }
	       }
	   }
	}
	$report
}

function get-path($entity){
	$path = $entity.Name
	while($entity.Parent -ne $null){
		$entity = Get-View -Id $entity.Parent
		if($entity.Name -ne "vm" -and $entity.Name -ne "host"){
			$path = $entity.Name + "\" + $path
		}
	}
	return $path
}

$authMgr = Get-View AuthorizationManager

Get-Inventory | Get-Permissions

Note1: the order of the returned objects is the order returned by the Get-Inventory cmdlet.

This can be changed by piping the result to the Sort-Object cmdlet.


Get-Inventory | Get-Permissions | Sort-Object -property objName

Note2: the script does not return inherited permissions.

This can easily be changed by changing the 2nd parameter in the RetrieveEntityPermissions method to $true


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
0 Kudos
6 Replies
LucD
Leadership
Leadership
Jump to solution

There are several ways to list the inventory of the VI environment.

You can list the 2 branches ("Host and Clusters" and "Virtual Machines and Templates"), similar to what the VI client shows.

See for example

Or you can use the list returned by the Get-Inventory cmdlet.

The sample script below uses the Get-Inventory cmdlet.

It filters out the hidden folders called "vm" and "host" since you normally can't define permissions for these.


filter Get-Permissions{
    $report = @()
	$object = Get-View -Id $_.ID
	if($object.Name -ne "vm" -and $object.Name -ne "host"){
		$path = get-path $object
		$perms = $authMgr.RetrieveEntityPermissions($object.MoRef, $false)

		if($perms.Count -gt 0){
		  foreach($perm in $perms){
		    foreach($role in $authMgr.RoleList){
                      if($role.RoleId -eq $perm.RoleId){
                        $row = "" | select roleName, objName, principalName
		        $row.roleName = $role.Name
		        $row.objName = $path
		        $row.principalName = $perm.Principal
		        $report += $row
		      }
	          }
	       }
	   }
	}
	$report
}

function get-path($entity){
	$path = $entity.Name
	while($entity.Parent -ne $null){
		$entity = Get-View -Id $entity.Parent
		if($entity.Name -ne "vm" -and $entity.Name -ne "host"){
			$path = $entity.Name + "\" + $path
		}
	}
	return $path
}

$authMgr = Get-View AuthorizationManager

Get-Inventory | Get-Permissions

Note1: the order of the returned objects is the order returned by the Get-Inventory cmdlet.

This can be changed by piping the result to the Sort-Object cmdlet.


Get-Inventory | Get-Permissions | Sort-Object -property objName

Note2: the script does not return inherited permissions.

This can easily be changed by changing the 2nd parameter in the RetrieveEntityPermissions method to $true


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
cno211cno
Contributor
Contributor
Jump to solution

Exactly what I was looking for. Once again LucD this is very much appreciated.

Reply
0 Kudos
joni2009
Contributor
Contributor
Jump to solution

Hello.

Thank you for your script to review Virtual center user and permissions.

I am using it in ESX 3.0 and it works perfectly. But with ESX 3.5 it doesn't work, and the following errors appears:

"Referencia a objeto no establecida como instancia de un objeto."

translated my be like this

"Reference to an object not stablished as an object instance"

in the line: Get-Inventory | Get-Permissions

Could you help me?

If you need any other information do not hesitate in contacting me.

Thank you in advance,

kind regards, joni.

Reply
0 Kudos
MrEHere
Enthusiast
Enthusiast
Jump to solution

I am new to this and had to figure out a couple of things through trial and error. These things may be obvious to the pro-powershell guru, but were not to me Smiley Happy

You can not run this script from the powershell command line.

When I ran:

D:\Scripts> POWERSHELL MyScript.ps1

I got a plethora of errors.

However, if I ran the script from the VI Toolkit command line, it ran (with an extra line added in).

I added the "Connect-VIServer -server YourServerNameHere" line to the beginning of the script.

Once launched (see below) it prompted me for credentials and then ran just fine.

To run the script:

Launch the "VMware VI ToolKit" from the Start/Programs/VMware menu (You do have this toolkit installed, right?)

At the VI ToolKit command prompt, CD to the directory where your .PS1 script resides

Then just key in your script name

VI ToolKit> MyScript.ps1

You are prompted for credentials to the VC server you specified in the script, and the script returns the values.

HTH

Alan

Reply
0 Kudos
bradley4681
Expert
Expert
Jump to solution

How can I go about getting this into excel? I exported it as an XML file but when importing it into excel it says the source does not refer to a scheme and then its all unorganized after import...

Cheers,

Bradley Sessions

If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

Cheers! If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".
Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

This thread is rather old and the PowerCLI team has added in PowerCLI 4u1 some new cmdlets (Get-ViPermission, Get-VIPrivilege and Get-VIRole) that do more or less the same this script is doing.

If you still want to use the script I would advise to export the data to a CSV file.

You can change the last line like this

Get-Inventory | Get-Permissions | Export-Csv "C:\Permissions.csv" -NoTypeInformation -UseCulture


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos