6 Replies Latest reply on Jan 12, 2010 9:20 AM by LucD

    Identifying Role Usage

    cno211cno Novice


      Here is question that the solution might be quite helpful. Is there a way to create a list of all of the roles and the objects that they are actually assigned to in powershell? I have ran the perl script in the Managing VMware VirtualCenter Roles and Permissions but this script outputs every object and the User/Group and Role associated with it. For my environment it took about 20 min to run and exported about 12,000 objects. What I would like to see is just the Roles that are assigned and the object that it is assigned to and not the child objects. I do not need every object, just the objects that a role is actually assigned to. 12,000 objects is a lot of objects to check for when trying to find discreptancies. For instance, If I have a Role assigned to the Datacenters folder, I would like to see:



      #RoleName # #Object Assigned to#  #User or Group permission Given to#









      Thank all in advance for help. 



        • 1. Re: Identifying Role Usage
          LucD Guru
          User ModeratorsvExpertCommunity Warriors

          There are several ways to list the inventory of the VI environment.

          You can list the 2 branches ("Host and Clusters" and "Virtual Machines and Templates"), similar to what the VI client shows.

          See for example  Use get-inventory to get datastore,cluster,resourcepool,vm's in hirarchy


          Or you can use the list returned by the Get-Inventory cmdlet.


          The sample script below uses the Get-Inventory cmdlet.

          It filters out the hidden folders called "vm" and "host" since you normally can't define permissions for these.



          filter Get-Permissions{
              $report = @()
               $object = Get-View -Id $_.ID
               if($object.Name -ne "vm" -and $object.Name -ne "host"){
                    $path = get-path $object
                    $perms = $authMgr.RetrieveEntityPermissions($object.MoRef, $false)
                    if($perms.Count -gt 0){
                      foreach($perm in $perms){
                        foreach($role in $authMgr.RoleList){
                                if($role.RoleId -eq $perm.RoleId){
                                  $row = "" | select roleName, objName, principalName
                            $row.roleName = $role.Name
                            $row.objName = $path
                            $row.principalName = $perm.Principal
                            $report += $row
          function get-path($entity){
               $path = $entity.Name
               while($entity.Parent -ne $null){
                    $entity = Get-View -Id $entity.Parent
                    if($entity.Name -ne "vm" -and $entity.Name -ne "host"){
                         $path = $entity.Name + "\" + $path
               return $path
          $authMgr = Get-View AuthorizationManager
          Get-Inventory | Get-Permissions


          Note1: the order of the returned objects is the order returned by the Get-Inventory cmdlet.

          This can be changed by piping the result to the Sort-Object cmdlet.

          Get-Inventory | Get-Permissions | Sort-Object -property objName


          Note2: the script does not return inherited permissions.

          This can easily be changed by changing the 2nd parameter in the RetrieveEntityPermissions method to $true

          • 2. Re: Identifying Role Usage
            cno211cno Novice


            Exactly what I was looking for. Once again LucD this is very much appreciated.



            • 3. Re: Identifying Role Usage
              joni2009 Lurker





              Thank you for your script to review Virtual center user and permissions.



              I am using it in ESX 3.0 and it works perfectly. But with ESX 3.5 it doesn't work, and the following errors appears:



              "Referencia a objeto no establecida como instancia de un objeto."



              translated my be like this



              "Reference to an object not stablished as an object instance"



              in the line: Get-Inventory | Get-Permissions



              Could you help me?



              If you need any other information do not hesitate in contacting me.



              Thank you in advance,



              kind regards, joni.



              • 4. Re: Identifying Role Usage
                MrEHere Enthusiast

                I am new to this and had to figure out a couple of things through trial and error. These things may be obvious to the pro-powershell guru, but were not to me


                You can not run this script from the powershell command line.

                When I ran:


                D:\Scripts> POWERSHELL MyScript.ps1


                I got a plethora of errors.

                However, if I ran the script from the VI Toolkit command line, it ran (with an extra line added in).

                I added the "Connect-VIServer -server YourServerNameHere" line to the beginning of the script.

                Once launched (see below) it prompted me for credentials and then ran just fine.


                To run the script:

                Launch the "VMware VI ToolKit" from the Start/Programs/VMware menu (You do have this toolkit installed, right?)

                At the VI ToolKit command prompt, CD to the directory where your .PS1 script resides

                Then just key in your script name


                VI ToolKit> MyScript.ps1


                You are prompted for credentials to the VC server you specified in the script, and the script returns the values.




                • 5. Re: Identifying Role Usage
                  bradley4681 Expert

                  How can I go about getting this into excel? I exported it as an XML file but when importing it into excel it says the source does not refer to a scheme and then its all unorganized after import...






                  Bradley Sessions


                  If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

                  • 6. Re: Identifying Role Usage
                    LucD Guru
                    Community WarriorsvExpertUser Moderators

                    This thread is rather old and the PowerCLI team has added in PowerCLI 4u1 some new cmdlets (Get-ViPermission, Get-VIPrivilege and Get-VIRole) that do more or less the same this script is doing.

                    If you still want to use the script I would advise to export the data to a CSV file.

                    You can change the last line like this

                    Get-Inventory | Get-Permissions | Export-Csv "C:\Permissions.csv" -NoTypeInformation -UseCulture