Hello,
I've been asked to get a list of users who are assigned to certain objects in vCenter. Problem is of course that we have a lot of objects. What I'd like is a script that can look at the permissions that are assigned from the top down and then sort from there. So if all these users are in the datacenter and everything below inherits them it skips that info for me. But if a folder in that datacenter has a user that's not inherited it lets me know, but parsing out the info, so I'm not looking at thousands of folders to figure out the info. Possible? Pipe dream?
Something like this?
Note that this does not list inherited permissions on the folder.
Get-Folder -Name MyFolder | Get-VIPermission |
where{$excluded -notcontains $_.Principal}
-----------------------------------------------------------------------------------
Was it helpful? Let us know by completing this short survey here.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Isn't the following doing that?
Or do you mean something else?
Get-VIPermission | select Principal,Entity,Role
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
So we have our team that's assigned at the vCenter/Datacenter level and I'm not concerned about those guys. But on occasion it seems we need to grant permission to someone outside of our team to a particular folder or set of folders. Since I'm not the only one who's doing this and the folders change quite often with automation I'd like a way to run something that can give me an output somehow who's assigned to any particular folder. If it's one of a certain handful of people on my team it's excluded from the search since we know they have permission to everything. But if it's someone from outside of that I'll know the folder they have access to, the permissions, etc.
Something like this?
Note that this does not list inherited permissions on the folder.
Get-Folder -Name MyFolder | Get-VIPermission |
where{$excluded -notcontains $_.Principal}
-----------------------------------------------------------------------------------
Was it helpful? Let us know by completing this short survey here.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
That seems to work really well. Is it somehow possible for it to scan the sub folders in a folder? We have a lot of folders under one particular folder and it'd be a hassle to try scan them individually, especially as they can change. If this is possible will it only show folders that have people who aren't in my exclusion list, or will it list every folder anyway? It'd be great if it only showed folders that had permissions from users who aren't in that exclusion list.
Try something like this.
Note that it currently only looks at VM-type folders.
Get-Inventory -Location (Get-Folder -Name $folderName) -PipelineVariable folder |
where { $folder.IsChildTypeVm } |
Get-VIPermission |
where { $_.EntityId -eq $folder.Id } |
select Entity, Principal, Role
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hmm it acts like it's working, but I'm getting this:
WARNING: The 'IsChildTypeVm' property of the Folder type is deprecated. Use the Type property instead.
Get-VIPermission : 8/23/2019 2:30:35 PM Get-VIPermission The object 'vim.Folder:group-v1391676' has already been
deleted or has not been completely created
At C:\GetFolderPermissions.ps1:48 char:112
+ ... able folder | where{$folder.IsChildTypeVm} | Get-VIPermission | where ...
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VIPermission], ManagedObjectNotFound
+ FullyQualifiedErrorId : Client20_InventoryServiceImpl_GetPermission_VIError,VMware.VimAutomation.ViCore.Cmdlets.
Commands.PermissionManagement.GetVIPermission
The line in question is this:
Get-Inventory -Location (Get-Folder -Name $myfolder) -PipelineVariable folder | where{$folder.IsChildTypeVm} | Get-VIPermission | where{$_.EntityId -eq $folder.Id} | select Entity,Principal,Role
The message about the IsChildTypeVM is a warning about a possible future deprecation.
And can be ignored for now.
The error is for one specific folder (Id = group-v1391676). Can you check with
Get-Folder | Select Name,Id
which folder it is, and what the problem with it might be?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hmm I ran that, but nothing comes up for that or another one I got an error on. It's possible our automation is either building or deleting those folders, so maybe that's why I'm seeing the issue?
Could be.
You could check Task and/or Events to see if any folders were manipulated while you ran the script.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yeah it looks like there's a lot of stuff running while this is going on. Folders being deleted, created, all kinds of fun stuff. I'll probably go back to the previous code and force users to specify the folder since there's too much going on.