Hi
I'm using Gabe's cheap disaster recovery script to export the folder perms but when I checked to see If it exported all the folders in my vCenter there seems to be some folders missing.. At first I thought maybe the account I was using to export didn't have the administrator role or the role didn't propagate down to the missing folders but after checking that was not the case.
Code:
--------------------------
function Get-Roles
{
Begin{
$authMgr = Get-View AuthorizationManager
$report = @()
}
Process{
foreach($role in $authMgr.roleList){
$ret = New-Object PSObject
$ret | Add-Member -Type noteproperty -Name “Name” -Value $role.name
$ret | Add-Member -Type noteproperty -Name “Label” -Value $role.info.label
$ret | Add-Member -Type noteproperty -Name “Summary” -Value $role.info.summary
$ret | Add-Member -Type noteproperty -Name “RoleId” -Value $role.roleId
$ret | Add-Member -Type noteproperty -Name “System” -Value $role.system
$ret | Add-Member -Type noteproperty -Name “Privilege” -Value $role.privilege
$report += $ret
}
}
End{
return $report
}
}
function Get-Permissions
{
Begin{
$report = @()
$authMgr = Get-View AuthorizationManager
$roleHash = @{}
$authMgr.RoleList | %{
$roleHash[$_.RoleId] = $_.Name
}
}
Process{
$perms = $authMgr.RetrieveAllPermissions()
foreach($perm in $perms){
$ret = New-Object PSObject
$entity = Get-View $perm.Entity
$ret | Add-Member -Type noteproperty -Name “Entity” -Value $entity.Name
$ret | Add-Member -Type noteproperty -Name “EntityType” -Value $entity.gettype().Name
$ret | Add-Member -Type noteproperty -Name “Group” -Value $perm.Group
$ret | Add-Member -Type noteproperty -Name “Principal” -Value $perm.Principal
$ret | Add-Member -Type noteproperty -Name “Propagate” -Value $perm.Propagate
$ret | Add-Member -Type noteproperty -Name “Role” -Value $roleHash[$perm.RoleId]
$report += $ret
}
}
End{
return $report
}
}
function New-XmlNode{
param($node, $nodeName)
$tmp = $global:vInventory.CreateElement($nodeName)
$node.AppendChild($tmp)
}
function Set-XmlAttribute{
param($node, $name, $value)
$node.SetAttribute($name, $value)
}
function Get-XmlNode{
param($path)
$vInventory.SelectNodes($path)
}
[XML]$vInventory = “<Inventory><Roles/><Permissions/></Inventory>”
# Roles
$XMLRoles = Get-XmlNode “Inventory/Roles”
Get-Roles | where {-not $_.System} | % {
$XMLRole = New-XmlNode $XMLRoles “Role”
Set-XmlAttribute $XMLRole “Name” $_.Name
Set-XmlAttribute $XMLRole “Label” $_.Label
Set-XmlAttribute $XMLRole “Summary” $_.Summary
$_.Privilege | % {
$XMLPrivilege = New-XmlNode $XMLRole “Privilege”
Set-XmlAttribute $XMLPrivilege “Name” $_
}
}
# Permissions
$XMLPermissions = Get-XmlNode “Inventory/Permissions”
Get-Permissions | % {
$XMLPerm = New-XmlNode $XMLPermissions “Permission”
Set-XmlAttribute $XMLPerm “Entity” $_.Entity
Set-XmlAttribute $XMLPerm “EntityType” $_.EntityType
Set-XmlAttribute $XMLPerm “Group” $_.Group
Set-XmlAttribute $XMLPerm “Principal” $_.Principal
Set-XmlAttribute $XMLPerm “Propagate” $_.Propagate
Set-XmlAttribute $XMLPerm “Role” $_.Role
}
$vInventory.Save($OutFile)
Depending on how deeply nested and how common your names are and would require testing, but essentially, yes. If you recreate your folder structure to match your original vCenter, then you can apply the permissions to the appropriate folders and as long as propagate is set accordingly, it should inherit to the sub-folders similar to how they were set in the original vCenter.
One caveat is that you have to export any custom Roles/Privileges as well.
I can't test and am on my phone, but just a thought - do the folders you are missing in the report actually have permissions applied directly on them or do they simply inherit all their permissions?
The script from Gabrie's recovery scripts only export the explicit permissions.
A folder that doesn't have an explicit permission will not be included.
The Propagate property will indicate if the permission is also applied on the child folders.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Luc,
Thanks for your response. Do you know of any Export / Import scripts that will grab everything including non-explicit permissions?
Thanks,
Hi Tocano,
Thanks for your response. The missing folders permissions are inherited. When I looked at the permissions tab it says either defined at the vCenter or datacenter level.
Not sure that this is the most efficient method, but you might consider adding to the approach of the script to fetch the folder structure (you can reference previous threads on this here, here, or even here, etc).
This way, you can not only recreate your folder structure (which - from the sound of it - contains numerous folders), but by reapplying the explicit permissions you gained from your original script, the permissions will inherit and you should have your entire folder structure recreated - with permissions - programmatically.
I already have a script to import and export my entire folder structure. So are you saying that after I import the folder structure into a new vCenter and import the permissions the inherited permissions will propagate to all the folders in the folder structure?
Depending on how deeply nested and how common your names are and would require testing, but essentially, yes. If you recreate your folder structure to match your original vCenter, then you can apply the permissions to the appropriate folders and as long as propagate is set accordingly, it should inherit to the sub-folders similar to how they were set in the original vCenter.
One caveat is that you have to export any custom Roles/Privileges as well.
Custom Roles/permissions are exported. Thanks