Solved: Trying to assign user Admin permissions on Root Fo...

shaka · ‎12-24-2009

I am trying to add a domain user directly to the folder permissions for the root folder in vCenter with Admin permissions. I can get it to assign permissions for folders below the root but not at the top of the tree. See code below.

#Create a VIAccount object suitable for use with New-VIPermission, Get-VIPermission, etc. from PowerCLI.

function New-VIAccount($principal) {

$flags = `

http://System.Reflection.BindingFlags::NonPublic -bor

http://System.Reflection.BindingFlags::Public -bor

http://System.Reflection.BindingFlags::DeclaredOnly -bor

http://System.Reflection.BindingFlags::Instance

$method = $defaultviserver.GetType().GetMethods($flags) |

where { $_.Name -eq "VMware.VimAutomation.Types.VIObjectCore.get_Client" }

$client = $method.Invoke($global:DefaultVIServer, $null)

Write-Output `

(New-Object VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl `

-ArgumentList $principal, "", $client)

}

$svcaccount = $domain + "\" + $username

$account = New-VIAccount "$svcaccount"

#(Get-Folder -Name folder) | New-VIPermission -Role Admin -Principal $account -Propagate:$TRUE ### This adds the user to a folder named folder with no issues.

(Get-Folder -Name Datacenters -Id Folder-group-d1) | New-VIPermission -Role Admin -Principal $account -Propagate:$TRUE ### When I try to apply to the root folder I get the following error:

New-VIPermission : 12/24/2009 2:19:30 PM New-VIPermission 9C9AB6A7-E395-42D1-B944-516E1BBBCEF2 Object reference not set to an instance of an object.

At ...vCenterSettings.ps1:93 char:70+ (Get-Folder -Name Datacenters -Id Folder-group-d1) | New-VIPermission <<<< -Role Admin -Principal $account -Propagate:$TRUE

LucD · ‎12-24-2009

I could reproduce the problem, so that seems to be indeed another bug for the New-VIPermission cmdlet in PowerCLI 4u1.

As a bypass, you can call the SetEntityPermissions method directly like this

$domain = <your-domainname>
$username = <your-accountname>
$svcaccount = $domain + "\" + $username

$folder = Get-Folder -Name "Datacenters"
$authMgr = Get-View AuthorizationManager
$perm = New-Object VMware.Vim.Permission
$perm.principal = $svcaccount
$perm.propagate = $true
$perm.roleid = ($authMgr.RoleList | where{$_.Name -eq "Admin"}).RoleId
$authMgr.SetEntityPermissions(($folder | Get-View).MoRef, $perm)

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

View solution in original post

LucD · ‎12-24-2009

I could reproduce the problem, so that seems to be indeed another bug for the New-VIPermission cmdlet in PowerCLI 4u1.

As a bypass, you can call the SetEntityPermissions method directly like this

$domain = <your-domainname>
$username = <your-accountname>
$svcaccount = $domain + "\" + $username

$folder = Get-Folder -Name "Datacenters"
$authMgr = Get-View AuthorizationManager
$perm = New-Object VMware.Vim.Permission
$perm.principal = $svcaccount
$perm.propagate = $true
$perm.roleid = ($authMgr.RoleList | where{$_.Name -eq "Admin"}).RoleId
$authMgr.SetEntityPermissions(($folder | Get-View).MoRef, $perm)

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

RobMokkink · ‎06-09-2010

Luc,

Your script works oke, except when i try to add groups instead of users, it fails.

Any idea why?

RobMokkink · ‎06-09-2010

Found it.

$perm.group = $true

ggochkov · ‎07-26-2010

Hi Rob,

The problem is fixed in the VMware vSphere PowerCLI 4.1 build 264274 - the 4.1 release

All you need is: your VC to be member of the domain of the user you want to assign as principal. You can just execute the following line of code in order to create a permission for the root:

 New-VIPermission -Role Admin -Principal 'domain\youruser' -Entity (Get-Folder -Name 'Datacenters')

Thanks,

Gospodin!

All

Trying to assign user Admin permissions on Root Folder