VMware Cloud Community
Eeyore
Contributor
Contributor
‎09-17-2008 02:28 AM
Jump to solution

Creating Administration Roles by script

I would like to be able to create Administration Roles by script (powershell), as we are building unattended installs of virtualcenter.

So far I have not found anything to do this. There doesn't seem to be any cmdlets for this.

We have standardised on powershell so any solution needs to use that.

Once the roles are created, with the correct permissions that I want, I also then need to manage them, by applying security to folders, making use of the created roles.

Anyone seen anything or tried it?

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎10-01-2008 06:48 AM
Jump to solution

For the management of roles, privileges and security settings we need the AuthorizationManager methods.

Privileges are listed in Appendix B of the SDK Programming Guide.

The first scrip show how to create a new role.

$privs = @()
$privs += "Host.Config.Network"
$privs += "Host.Config.NetService"
$authMgr = Get-View AuthorizationManager
$roleid = $authMgr.AddAuthorizationRole("NetAdmin", $privs)

Then you can apply this to an "entity" like this.

Note that you use the $roleid to select the role in the next method.

$dc = Get-Datacenter -Name <datacenter-name> | Get-View
$perm = $authMgr.RetrieveEntityPermissions($dc.MoRef, $true)
$perm = New-Object VMware.Vim.Permission
$perm.group = $false
$perm.principal = "mydomain\myaccount"
$perm.propagate = $false
$perm.roleId = $roleid
$authMgr.SetEntityPermissions($dc.MoRef, $perm)

The description of the properties of the Permission object can be found in the SDK.

The $perm variable (2nd parameter to the SetEntityPermissions method) can also be an array.

So you can apply multiple permissions in 1 call.

For the further management of this have a look at the other methods of the AuthorizationManager object.

Feel free to ask if something is not clear.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
16 Replies
halr9000
Commander
Commander
‎09-17-2008 03:08 PM
Jump to solution

You are right, there aren't cmdlets to address this right now. It is possible that VMware will remedy this in future versions of the toolkit. It may also be possible that you can do this without too much trouble using the VI SDK (and the Get-View cmdlet), but I don't have time to work on that at the moment.






Author of the upcoming book: Managing VMware Infrastructure with PowerShell

Co-Host, PowerScripting Podcast (http://powerscripting.net)

My signature used to be pretty, but then the forum software broked it. vExpert. Microsoft MVP (Windows PowerShell). Author, Podcaster, Speaker. I'm @halr9000
0 Kudos
dconvery
Champion
Champion
‎09-30-2008 01:18 PM
Jump to solution

So....Does anyone know of a way to do this??

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
0 Kudos
Flapoly
Contributor
Contributor
‎09-30-2008 11:42 PM
Jump to solution

Hi all,

We ahve exactly the same issue. Our security/auditing team ask us to provide an automated script that will check the roles configuration/settings on the different level of VC.

Doing this manually is very resource intensive and cause a lot of human errors.

Best Regards,

0 Kudos
LucD
Leadership
Leadership
‎10-01-2008 06:48 AM
Jump to solution

For the management of roles, privileges and security settings we need the AuthorizationManager methods.

Privileges are listed in Appendix B of the SDK Programming Guide.

The first scrip show how to create a new role.

$privs = @()
$privs += "Host.Config.Network"
$privs += "Host.Config.NetService"
$authMgr = Get-View AuthorizationManager
$roleid = $authMgr.AddAuthorizationRole("NetAdmin", $privs)

Then you can apply this to an "entity" like this.

Note that you use the $roleid to select the role in the next method.

$dc = Get-Datacenter -Name <datacenter-name> | Get-View
$perm = $authMgr.RetrieveEntityPermissions($dc.MoRef, $true)
$perm = New-Object VMware.Vim.Permission
$perm.group = $false
$perm.principal = "mydomain\myaccount"
$perm.propagate = $false
$perm.roleId = $roleid
$authMgr.SetEntityPermissions($dc.MoRef, $perm)

The description of the properties of the Permission object can be found in the SDK.

The $perm variable (2nd parameter to the SetEntityPermissions method) can also be an array.

So you can apply multiple permissions in 1 call.

For the further management of this have a look at the other methods of the AuthorizationManager object.

Feel free to ask if something is not clear.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
dconvery
Champion
Champion
‎10-03-2008 11:15 AM
Jump to solution

LucD -

Thanks for the tip. Unfortunately, the first block of code produces an error:

PS C:\Program Files\VMware\Infrastructure\VIToolkitForWindows&gt; $privs = @()

PS C:\Program Files\VMware\Infrastructure\VIToolkitForWindows&gt; $privs += "Host.Config.Network"

PS C:\Program Files\VMware\Infrastructure\VIToolkitForWindows&gt; $privs += "Host.Config.NetService"

PS C:\Program Files\VMware\Infrastructure\VIToolkitForWindows&gt; $privs += "VirtualMachine.Interaction"

PS C:\Program Files\VMware\Infrastructure\VIToolkitForWindows&gt; $authMgr = Get-View AuthorizationManager

PS C:\Program Files\VMware\Infrastructure\VIToolkitForWindows&gt; $roleid = $authMgr.AddAuthorizationRole("Test1", $privs)

Exception calling "AddAuthorizationRole" with "2" argument(s): "vim.fault.NotFound"* At line:1 char:40 *+ $roleid = $authMgr.AddAuthorizationRole( &lt;&lt;&lt;&lt; "Test1", $privs)

PS C:\Program Files\VMware\Infrastructure\VIToolkitForWindows&gt;

I got a similar error on the last line of the second section. Sorry, I am not a programmer and I am a noob at powershell, so my mind is doubly deficient... I am working on running this line-by-line now.

Dave

************************

"There is an island of opportunity in the middle of every difficulty. Miss that, though, and you're pretty much doomed."

despair.com

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
admin
Immortal
Immortal
‎10-03-2008 01:42 PM
Jump to solution

Just wanted to mention a couple of things

1. This is on our roadmap but not for this year.

2. A complete, well thought-out solution to this problem is fairly complex, but partial solutions are certainly possible as Luc has shown with his code. If you need something sooner please ask specific questions and we'll see if we can address them.

0 Kudos
LucD
Leadership
Leadership
‎10-03-2008 02:07 PM
Jump to solution

The 3th privilege you are trying to assign doesn't exist.

It's not present in Appendix B of the SDK Programming Guide.

What is shown in the VI client as "Virtual Machine - Interaction" exists in fact of 11 individual privileges.

You will have to add all of these to the role to get the same effect.

That list would be: "VirtualMachine.Interact.PowerOn", "VirtualMachine.Interact.PowerOff", "VirtualMachine.Interact.Suspend"...


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
dconvery
Champion
Champion
‎10-04-2008 09:43 AM
Jump to solution

Luc -

I am SO sorry... I see that know, I looked at the VCMS and saw "interaction" and looked at the appendix and saw "interact".

Will I need to specify each individual permission or can I specify the parent?

Dave

************************

"There is an island of opportunity in the middle of every difficulty. Miss that, though, and you're pretty much doomed."

despair.com

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
0 Kudos
dconvery
Champion
Champion
‎10-04-2008 09:54 AM
Jump to solution

Carter (and Luc) -

The task is fairly straight - forward. I will be creating folders, datacenters, etc. I have that part OK. I want to create a custom role and then set the role to a user/group and apply it to a folder. It looks like this will do nicely for the most part.

Incidentally, How do I get a role id for a standard or custom role? This would be to assign to an existing role. I am also using this post as a reference -&gt; http://communities.vmware.com/message/919168

Dave

************************

"There is an island of opportunity in the middle of every difficulty. Miss that, though, and you're pretty much doomed."

despair.com

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
0 Kudos
LucD
Leadership
Leadership
‎10-05-2008 09:22 AM
Jump to solution

I think you need to set each individual permission. Smiley Sad

Couldn't find a way of doing it via a parent (like "VirtualMachine.Interact").

The privileges do have the concept of a group, in this case they all belong to the privileges group "VirtualMachine.Interact",

but unfortunately I can't seem to find how to pass group privileges to the AddAuthorizationRole method.

Perhaps someone else knows how to do this ?

You could eventually use the following script.

It will add all privileges that belong to the group "VirtualMachine.Interact" to an array.

That array can then be used as a parameter to the AddAuthorizationRole method.

$privs =@()
$tgtgroup = "VirtualMachine.Interact"

$authMgr = Get-View AuthorizationManager
foreach($privilege in $authMgr.PrivilegeList){
  if($privilege.PrivGroupName -eq $tgtgroup){
    $privs += $privilege.PrivId
  }
}

$roleid = $authMgr.AddAuthorizationRole("VMAdmin", $privs)

You still have to know the groups.

But at least the privileges array will be constructed automatically.

And it will be all or nothing for a group.

PS: use the following script to get a list of all 146 privileges and the group they belong to.

$report =@()

$authMgr = Get-View AuthorizationManager
foreach($privilege in $authMgr.PrivilegeList){
  $row = "" | Select PrivName, PrivId, PrivGroup
  $row.PrivName = $privilege.Name
  $row.PrivGroup = $privilege.PrivGroupName
  $row.PrivId = $privilege.PrivId
  $report += $row
}

$report | Export-Csv -path "c:/Temp/Privs.csv" -noTypeInformation


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

LucD
Leadership
Leadership
‎10-05-2008 09:34 AM
Jump to solution

All roles can be found under the AuthorizationManager.RoleList property.

This includes the RoleId property.

This produces a CSV with all roles and their RoleId.

$report =@()

$authMgr = Get-View AuthorizationManager
foreach($role in $authMgr.RoleList){
  $row = "" | Select RoleName, Label, RoleId
  $row.RoleName = $role.Name
  $row.Label = $role.Info.Label
  $row.RoleId = $role.RoleId
  $report += $row
}

$report | Export-Csv -path "c:/Temp/Roles.csv" -noTypeInformation

But you can also look for a specific role by name, retrieve the RoleId property, place it in the Permission.roleId property and call the SetEntityPermissions method.

Similar to what I just showed for the privileges.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
dconvery
Champion
Champion
‎10-05-2008 11:18 AM
Jump to solution

Thank you VERY much Luc. Sorry I didn't start a new thread to award points. Maybe eeyore can mark it answered?? Luc's original posts answered the original questions.

Dave

************************

"There is an island of opportunity in the middle of every difficulty. Miss that, though, and you're pretty much doomed."

despair.com

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
0 Kudos
Eeyore
Contributor
Contributor
‎10-09-2008 12:41 AM
Jump to solution

Thanks for all the help.

0 Kudos
wingnut76
Contributor
Contributor
‎01-20-2009 04:42 PM
Jump to solution

I have a question on how to do something with powershell. I have a script that creates a user account on an ESX host and assigns it Read-Only role at the host level. If you were using the VIC, you'd select the host in the left pane to set the permission. In the script I do this at the ha-folder-root level. I'm trying to use the following powershell code but I get an error when I try to set the permissions. I'm not sure why... Can someone help?

'=== Create new account

Connect to the server using Get-ESX &lt;servername&gt;

New-VMHostAccount -id &lt;Some User I want&gt; -Description "Read Only User" -Password my_password

'=== set the permissions

$entity = Get-View (get-vmhost -name "myhostname").ID

$authMgr = Get-View AuthorizationManager

$perm = @()

$perm += New-Object VMware.Vim.Permission

$perm[0].group = $false

$perm[0].principal = "&lt;Some Local User Account Created Above&gt;"

$perm[0].propagate = $true

$perm[0].roleId = "-2"

$authMgr.SetEntityPermissions($entity.MoRef, $perm)

At the final line, I get the following error:

You cannot call a method on a null-valued expression.

At line:1 char:30

+ $authMgr.SetEntityPermissions( &lt;&lt;&lt;&lt; $entity.MoRef, $perm)

I'm assuming this is something really simple I'm doing wrong...

0 Kudos
wingnut76
Contributor
Contributor
‎01-20-2009 05:05 PM
Jump to solution

Ha... Of course. After I spend 4 hours trying to figure it out as soon as I post I get it...

I needed the following code to get the authMgr object. Smiley Happy

$entity = Get-View -ViewType Folder -filter @{"name" = "ha-folder-root"}

$svcRef = new-object VMware.Vim.ManagedObjectReference

$svcRef.Type = "ServiceInstance"

$svcRef.Value = "ServiceInstance"

$serviceInstance = get-view $svcRef

$authMgr = get-view $serviceInstance.Content.authorizationManager

It works now!

0 Kudos
LucD
Leadership
Leadership
‎01-20-2009 10:01 PM
Jump to solution

Fyi, you can shorten that like this

$entity = Get-View -ViewType Folder -filter @{"name" = "ha-folder-root"}

$authMgr = Get-View AuthorizationManager


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos