VMware Cloud Community
MC1903
Enthusiast
Enthusiast
‎12-18-2020 09:34 AM
Jump to solution

Get-VIPermission - How to determine if permission is Global or just this vCenter?

When I dump out my vCenter permissions with Get-VIPermission, the 'entity' is always 'Datacenters' irrespective of whether the permission is set globally or at the vCenter root object itself?

Here is my test: I have assigned one user (MOMUS\ADUser03) a role at the vCenter Server root object and another user (MOMUS\NonAdmin) another role within Global Permissions.

MC1903_0-1608311088234.png

MC1903_1-1608311407410.png

 

When I run Get-VIPermission | Select-Object Principal, IsGroup, Role, Entity, Propagate | Sort-Object Principal | Format-Table -AutoSize

I get this:

Get-VIPermission PS Output.png

I was expecting the entity for the MOMUS\NonAdmin user to be different (i.,e Global).

How do I distinguish between Global and 'non-Global/vCenter permissions with PowerCLI - If there is another way apart from Get-VIPermission.

Thanks.

M

 

 

 

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎12-18-2020 09:50 AM
Jump to solution

Global permissions are done through and maintained in SSO.
It is then propagated to all vCenters in that SSO domain.
Hence why you see those permessions appearing on the Datacenters folder (the root of a vCenter hierarchy).

Unfortunately, afaik the recent VMware.vSphere.SsoAdmin module doesn't contain any functions (yet) to manage Global Permissions. 

Since that module is published as open source, I would suggest opening an Issue in that repo for this functionality.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

2 Replies
LucD
Leadership
Leadership
‎12-18-2020 09:50 AM
Jump to solution

Global permissions are done through and maintained in SSO.
It is then propagated to all vCenters in that SSO domain.
Hence why you see those permessions appearing on the Datacenters folder (the root of a vCenter hierarchy).

Unfortunately, afaik the recent VMware.vSphere.SsoAdmin module doesn't contain any functions (yet) to manage Global Permissions. 

Since that module is published as open source, I would suggest opening an Issue in that repo for this functionality.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

MC1903
Enthusiast
Enthusiast
‎12-18-2020 12:24 PM
Jump to solution

Thanks @LucD 

Appreciate the explanation; makes sense, but it sucks that we have got to PowerCLI v12.1 without an official cmdlet/module to manage global permissions? 🤔

Cheers,

M

 

 

 

0 Kudos