I am trying to add a domain user directly to the folder permissions for the root folder in vCenter with Admin permissions. I can get it to assign permissions for folders below the root but not at the top of the tree. See code below.
#Create a VIAccount object suitable for use with New-VIPermission, Get-VIPermission, etc. from PowerCLI.
function New-VIAccount($principal) {
$flags = `
http://System.Reflection.BindingFlags::NonPublic -bor
http://System.Reflection.BindingFlags::Public -bor
http://System.Reflection.BindingFlags::DeclaredOnly -bor
http://System.Reflection.BindingFlags::Instance
$method = $defaultviserver.GetType().GetMethods($flags) |
where { $_.Name -eq "VMware.VimAutomation.Types.VIObjectCore.get_Client" }
$client = $method.Invoke($global:DefaultVIServer, $null)
Write-Output `
(New-Object VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl `
-ArgumentList $principal, "", $client)
}
$svcaccount = $domain + "\" + $username
$account = New-VIAccount "$svcaccount"
#(Get-Folder -Name folder) | New-VIPermission -Role Admin -Principal $account -Propagate:$TRUE ### This adds the user to a folder named folder with no issues.
(Get-Folder -Name Datacenters -Id Folder-group-d1) | New-VIPermission -Role Admin -Principal $account -Propagate:$TRUE ### When I try to apply to the root folder I get the following error:
New-VIPermission : 12/24/2009 2:19:30 PM New-VIPermission 9C9AB6A7-E395-42D1-B944-516E1BBBCEF2 Object reference not set to an instance of an object.
At ...vCenterSettings.ps1:93 char:70+ (Get-Folder -Name Datacenters -Id Folder-group-d1) | New-VIPermission <<<< -Role Admin -Principal $account -Propagate:$TRUE
I could reproduce the problem, so that seems to be indeed another bug for the New-VIPermission cmdlet in PowerCLI 4u1.
As a bypass, you can call the SetEntityPermissions method directly like this
$domain = <your-domainname> $username = <your-accountname> $svcaccount = $domain + "\" + $username $folder = Get-Folder -Name "Datacenters" $authMgr = Get-View AuthorizationManager $perm = New-Object VMware.Vim.Permission $perm.principal = $svcaccount $perm.propagate = $true $perm.roleid = ($authMgr.RoleList | where{$_.Name -eq "Admin"}).RoleId $authMgr.SetEntityPermissions(($folder | Get-View).MoRef, $perm)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I could reproduce the problem, so that seems to be indeed another bug for the New-VIPermission cmdlet in PowerCLI 4u1.
As a bypass, you can call the SetEntityPermissions method directly like this
$domain = <your-domainname> $username = <your-accountname> $svcaccount = $domain + "\" + $username $folder = Get-Folder -Name "Datacenters" $authMgr = Get-View AuthorizationManager $perm = New-Object VMware.Vim.Permission $perm.principal = $svcaccount $perm.propagate = $true $perm.roleid = ($authMgr.RoleList | where{$_.Name -eq "Admin"}).RoleId $authMgr.SetEntityPermissions(($folder | Get-View).MoRef, $perm)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Luc,
Your script works oke, except when i try to add groups instead of users, it fails.
Any idea why?
Found it.
$perm.group = $true
Hi Rob,
The problem is fixed in the VMware vSphere PowerCLI 4.1 build 264274 - the 4.1 release
All you need is: your VC to be member of the domain of the user you want to assign as principal. You can just execute the following line of code in order to create a permission for the root:
New-VIPermission -Role Admin -Principal 'domain\youruser' -Entity (Get-Folder -Name 'Datacenters')
Thanks,
Gospodin!