I'm trying to put a report together that captures all the roles and permissions in a vCenter. My problem is not knowing where to begin. I've seen scripts for exporting SSO roles, for importing SSO roles, and more; but nothing on just reporting on roles and permissions. I believe that would be similar to a type of audit; which is really what this report is for. In order to know where our vCenter(s) security is lacking, I'd like to know what is there currently. That way, I can see at a glance what needs to be fixed. Even a function that captures all the roles, permissions/privileges and exports them to a CSV file. That would be wonderful. Suggestions/guidance anyone?
Thanks in advance,
Migs
Try something like this
$si = Get-View ServiceInstance -Server $global:DefaultVIServer
$authMgr = Get-View -Id $si.Content.AuthorizationManager-Server $global:DefaultVIServer
$authMgr.RetrieveAllPermissions() |
Select @{N='Entity';E={Get-View -Id $_.Entity -Property Name -Server $global:DefaultVIServer | select -ExpandProperty Name}},
@{N='Entity Type';E={$_.Entity.Type}},
Principal,
Propagate,
@{N='Role';E={$perm = $_; ($authMgr.RoleList | where{$_.RoleId -eq $perm.RoleId}).Info.Label}} |
Format-Table -AutoSize
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Try something like this
$si = Get-View ServiceInstance -Server $global:DefaultVIServer
$authMgr = Get-View -Id $si.Content.AuthorizationManager-Server $global:DefaultVIServer
$authMgr.RetrieveAllPermissions() |
Select @{N='Entity';E={Get-View -Id $_.Entity -Property Name -Server $global:DefaultVIServer | select -ExpandProperty Name}},
@{N='Entity Type';E={$_.Entity.Type}},
Principal,
Propagate,
@{N='Role';E={$perm = $_; ($authMgr.RoleList | where{$_.RoleId -eq $perm.RoleId}).Info.Label}} |
Format-Table -AutoSize
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
THAT WAS AWESOME!!! I am always awestruck when I look at the depth of scope regarding these properties. I thought that I had it bad enough trying to learn more of the .NET Class Library. (Do you know that I have not been able to locate one (1) book on Amazon that teaches about that. Plenty on ASP.NET, but nothing specific to .NET or its class library. I wanted to get familiar with it at least so that when I need some type of calculated field, I can have a jump ahead on solving it if I can recognize what class it might belong to.
Yesterday, I purchased the new 2nd edition of Learning PowerCLI. (Loved seeing you listed as one of the authors.) I've been pouring through the pages, trying to reach a better understanding of scripting not just for reporting, but configuring, deploying and a host of other stuff. Sometimes, it can be a bit daunting, but I never quit; because this stuff is waaaasaayy too much fun.
Your script was right on the money. Now I'm going to try doing the same for ALL the other 28 vCenters in our environment. I recently put together a script which connects to each vCenter aggregately. Now the question is "Do I go with that method, which will give me a list of permissions which I will then have to sort by vCenter and then the entity, Entity Type, Principal, Propagate and Role. OR?????
Do I put this within a for each loop and then the information prints out per vCenter as opposed to one huge mass?
And I assume, hopefully correctly, is that to put it to CSV, I would go to the end of your code, and a space or two and then the pipe and another space, then place the Export-CSV command afterwards and have it send the data as a file which I will name myself before letting it kick off right away I'm leaning towards the latter choice because it calls for using that foreach statement that you've been trying to teach me about. I'm still intimidated by it, but I'm still practicing on it; till I get it right.
Thanks again for all of your help.
Migs
if you want to handle multiple vCenters in one run, you should connect to all these vCenters before.
Then try like this
$report = foreach($vc in $global:DefaultVIServers){
$si = Get-View ServiceInstance -Server $vc
$authMgr = Get-View -Id $si.Content.AuthorizationManager-Server $vc
$authMgr.RetrieveAllPermissions() |
Select @{N='vCenter';E={$vc.Name}},
@{N='Entity';E={Get-View -Id $_.Entity -Property Name -Server $vc | select -ExpandProperty Name}},
@{N='Entity Type';E={$_.Entity.Type}},
Principal,
Propagate,
@{N='Role';E={$perm = $_; ($authMgr.RoleList | where{$_.RoleId -eq $perm.RoleId}).Info.Label}}
}
$report | Export-Csv permissions.csv -NoTypeInformation -UseCulture
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
You must get amazingly tired of me telling you just how awesome you are. Thank you again. I'm about to run an initial test on your iteration. I was thinking that perhaps instead of doing something like:
Connect-VIServer VC-ABC
Connect-VIServer VC-DEF
Connect-VIServer VC-GHI...
I'm trying to determine a way (if there is one) to do this more efficiently. There are two (2) ideas which come to mind, one is using hash tables. I'm starting to get a little better with those, but I'm not sure if I should apply them here. Another thought was to use JSON to create a file for the script to pull from. I don't know why, but it just seems like putting down 25+ Connect-VIServer statements appears wasteful. Am I overreaching on this? In my old days of programming (i.e. COBOL, Clipper) it would be frowned upon to have those 'hard coded' into the program. It seems to be a better idea to have the script grab an input file (using Hash tables or JSON). That way, if anyone else ever needed something like that (especially now that 6.5 allows our colleagues to vMotion across vCenters), they could use the script and then they just put together there own input file. That would appear to be making it reusable code.....I think.
Does that make sense?
It's been a long day and my work computer is functioning worse and worse. (That's another story for another time.) My eyes are deceiving me and my brain is trying to go on strike. I've just placed an online order for some food from Pizza Hut in the hopes that it will help me make it through the next 3hrs and 13mins.
TAA (thanks as always),
Migs
Lol :smileysilly:
Yes, you better store those vCenter names, and credentials eventually, in an external, well protected file.
There is a nice overview of the possibilities in Using saved credentials securely in PowerShell scripts
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Could that script be modified to report on hosts, vms, datastores and network permissions placed on principals in a vsphere environment?
Isn't that what the script is doing?
Or can you elaborate on what you mean?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
LucD
I apologize. I overlooked what items were on the vcenter I ran the report on. Your script works fine.
Thanks,
DR
Thank you for this amazing script! It does exactly what I need with one exception. It seems to be pulling information from the top level of objects and not recursing down into folders. I am auditing 3 vCenters and there are a number of folders which the script picks up, but not the hosts, VMs, and other objects inside those folders. Is there any way to modify the script so it recurses down into those folders and pulls data from those objects as well?
The script only lists the explicit permissions, not the propagated ones.
To see all permissions on a specific entity, use the Get-VIPermission cmdlet with the Entity parameter.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference