VMware Cloud Community
nicholas1982
Hot Shot
Hot Shot

Block or Restricting execution of PowerCLI commands or Scripts

Hi All,

I can't seem to find a way of doing this and it may turn out not to be possible. But I have some ops guys with vSphere client access to our vSphere 5.5 environment and some of them like to tinker with PowerCLI which we would like to restrict.


Reason being they have the ability to cause some serious damage if the wrong script is executed, I do trust my guys but it not a matter of trust its a matter of defined access control. They do need the level of access they have now to administer the environment but the ability to make mass changes via a script need to go through an approval process. We just had a script run to unmount all ISO/CDROMS for all VM's and due to the nature of how Linux OS locks the media it crashed the server.


So what I'm asking is there anyway to allow vSphere access but deny or restrict access to run commands via any other means like PowerCLI ?

Nicholas
0 Kudos
5 Replies
LucD
Leadership
Leadership

If I understand this correctly, you want a user to have different roles, depending on the type of access (web client/PowerCLI) ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

nicholas1982
Hot Shot
Hot Shot

Hi Luc,

Yes, just because a user has permissions to vSphere via the Windows client or web client doesn't me they should be able to run commands via PowerCLI. Is there anyway to lock down PowerCLI access to specific users?

Nicholas
0 Kudos
LucD
Leadership
Leadership

I'm afraid that there is no way to limit (afaik) the vCenter access based on the application used to access it (web client/PowerCLI...).

All these use the same vSphere API under the covers.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

nicholas1982
Hot Shot
Hot Shot

Hi Luc,

Thanks for the info, so I figured this would be the case. Let me ask you this then, is there anyway to audit how tasks were preformed, i.e is it possible to know if it was done via vSphere client or PowerCLI? In this case we already suspected PowerCLI was used as the tasks were 5 seconds apart by the same user which would be extremely difficult done via the client.

Nicholas
0 Kudos
LucD
Leadership
Leadership

Not at the moment afaik, but in the PowerShell v5 preview some new features were introduced that will allow tracking (see for example More New Stuff in PowerShell V5: Extra PowerShell Auditing).


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos