VMware Cloud Community
JLogan2016
Enthusiast
Enthusiast
‎06-27-2017 07:18 PM
Jump to solution

Get-VIPermissions only on current item

I am working on a larger script that includes a function to pull permissions from a datacenter. At present I am using this:

...
#Get all DataCenter level Permissions
    Get-VIPermission -Entity $sDC | 
        Export-Clixml $sDir\DC_Permissions.xml
...

This works, but it pulls all permissions, including those set at the parent. I then have to do some massaging when I import this datacenter into another vCenter to cut those propogated items out, or do a SilentlyContinue. Just curious if there is an easy way to tell it to grab from the Datacenter only those permissions that are defined on that object. I have been reading through the Get-VIPermission documentation and Googling, but haven't stumbled across a way yet.

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎06-28-2017 01:42 PM
Jump to solution

You will have to change line 7.

The first parameter is the MoRef for the entity for which you want to retrieve the permissions.

That should be

$authMgr.RetrieveEntityPermissions($dc.ExtensionData.MoRef,$inherited)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
6 Replies
LucD
Leadership
Leadership
‎06-27-2017 09:42 PM
Jump to solution

The Get-VIPermission cmdlet always returns the inherited permissions as well.

You'll have to revert to the API RetrieveEntityPermissions method to avoid getting the inherited permissions.

Something like this for example

$dcName = 'MyDC'

$authMgr = Get-View AuthorizationManager

$dc = Get-Datacenter -Name $dcName

$inherited = $false

$authMgr.RetrieveEntityPermissions($folder.ExtensionData.MoRef,$inherited)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
JLogan2016
Enthusiast
Enthusiast
‎06-28-2017 01:39 PM
Jump to solution

Thanks for the suggestion, I was unaware of that method. This is what I am trying then:

$dcName = 'DPI'
Connect-VIServer -Server "myserver" -User "Administrator@LC.Local" -Password "MyPW"
$authMgr = Get-View AuthorizationManager
$dc = Get-Datacenter -Name $dcName
$inherited = $false
$authMgr.RetrieveEntityPermissions($folder.ExtensionData.MoRef,$inherited)
Disconnect-VIServer -Server "myserver" -Confirm:$false

And am getting this error. It appears like it is looking for another parameter:

Exception calling "RetrieveEntityPermissions" with "2" argument(s): "
Required parameter entity is missing
while parsing call information for method RetrieveEntityPermissions
at line 1, column 171
while parsing SOAP body
at line 1, column 64
while parsing SOAP envelope
at line 1, column 0
while parsing HTTP request for method retrieveEntityPermissions
on object of type vim.AuthorizationManager
at line 1, column 0"
At line:10 char:1
+ $authMgr.RetrieveEntityPermissions($folder.ExtensionData.MoRef,$inherited)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : VimException
0 Kudos
LucD
Leadership
Leadership
‎06-28-2017 01:42 PM
Jump to solution

You will have to change line 7.

The first parameter is the MoRef for the entity for which you want to retrieve the permissions.

That should be

$authMgr.RetrieveEntityPermissions($dc.ExtensionData.MoRef,$inherited)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
JLogan2016
Enthusiast
Enthusiast
‎06-28-2017 05:51 PM
Jump to solution

You are awesome as usual, thanks for the help!

0 Kudos
JLogan2016
Enthusiast
Enthusiast
‎06-29-2017 05:30 AM
Jump to solution

Ok, so I lied. I thought I had the structure down, it works for both the datacenter and cluster level. But I cannot seem to get it to work for folder level. If I know the folder name it works, i.e.:

...vCenter connection
$folder = Get-Folder MDC
$authMgr.RetrieveEntityPermissions($folder.ExtensionData.MoRef,$inherited) |
        Export-Clixml C:\Users\Administrator\Desktop\Output.xml
...

But I haven't found an elegant way to grab all the folders from the cluster, get the object-level permissions and then output to a single xml. After mucking about for a while, I came up with this:

$folders = $dc | Get-Folder
    foreach ($item in $folders) {
        $name = Get-Folder $item.Name
        $authMgr.RetrieveEntityPermissions($name.ExtensionData.MoRef,$inherited) |
            Export-Clixml C:\Users\Administrator\Desktop\$name.xml
    }

It works, outputs the xml files, but I know it is horribly redundant with the double call to Get-Folder. It also produces an error for each folder, even though I get the output I desire:

Cannot convert argument "entity", with value: "System.Object[]", for "RetrieveEntityPermissions" to type "VMware.Vim.ManagedObjectReference": "Cannot convert the 
"System.Object[]" value of type "System.Object[]" to type "VMware.Vim.ManagedObjectReference"."
At line:20 char:9
+         $authMgr.RetrieveEntityPermissions($name.ExtensionData.MoRef,$inherited) ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
0 Kudos
LucD
Leadership
Leadership
‎06-29-2017 05:59 AM
Jump to solution

Try like this

$dcName = 'MDC'

Connect-VIServer -Server "myserver" -User "Administrator@LC.Local" -Password "MyPW" 

 

$authMgr = Get-View AuthorizationManager 

$dc = Get-Datacenter -Name $dcName 

$inherited = $false 

$report = foreach($folder in (Get-Folder -Location $dc)){

    $authMgr.RetrieveEntityPermissions($folder.ExtensionData.MoRef,$inherited) |

    Select @{N='Folder';E={$folder.Name}},

        Principal,Group,RoleId,Propagate

}

$report | Export-Clixml C:\Users\Administrator\Desktop\Output.xml

Disconnect-VIServer -Server "myserver" -Confirm:$false 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference