VMware Cloud Community
mvelezwhiteFFI
Contributor
Contributor
Jump to solution

How do I create a report on vCenter permissions via PowerCLI

I'm trying to put a report together that captures all the roles and permissions in a vCenter.  My problem is not knowing where to begin.  I've seen scripts for exporting SSO roles, for importing SSO roles, and more; but nothing on just reporting on roles and permissions.  I believe that would be similar to a type of audit; which is really what this report is for.  In order to know where our vCenter(s) security is lacking, I'd like to know what is there currently.  That way, I can see at a glance what needs to be fixed.  Even a function that captures all the roles, permissions/privileges and exports them to a CSV file.  That would be wonderful.  Suggestions/guidance anyone?

Thanks in advance,

Migs

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

Try something like this

$si = Get-View ServiceInstance -Server $global:DefaultVIServer

$authMgr = Get-View -Id $si.Content.AuthorizationManager-Server $global:DefaultVIServer

$authMgr.RetrieveAllPermissions() |

Select @{N='Entity';E={Get-View -Id $_.Entity -Property Name -Server $global:DefaultVIServer | select -ExpandProperty Name}},

    @{N='Entity Type';E={$_.Entity.Type}},

    Principal,

    Propagate,

    @{N='Role';E={$perm = $_; ($authMgr.RoleList | where{$_.RoleId -eq $perm.RoleId}).Info.Label}} |

    Format-Table -AutoSize


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

10 Replies
LucD
Leadership
Leadership
Jump to solution

Try something like this

$si = Get-View ServiceInstance -Server $global:DefaultVIServer

$authMgr = Get-View -Id $si.Content.AuthorizationManager-Server $global:DefaultVIServer

$authMgr.RetrieveAllPermissions() |

Select @{N='Entity';E={Get-View -Id $_.Entity -Property Name -Server $global:DefaultVIServer | select -ExpandProperty Name}},

    @{N='Entity Type';E={$_.Entity.Type}},

    Principal,

    Propagate,

    @{N='Role';E={$perm = $_; ($authMgr.RoleList | where{$_.RoleId -eq $perm.RoleId}).Info.Label}} |

    Format-Table -AutoSize


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

mvelezwhiteFFI
Contributor
Contributor
Jump to solution

THAT WAS AWESOME!!!    I am always awestruck when I look at the depth of scope regarding these properties.  I thought that I had it bad enough trying to learn more of the .NET Class Library.  (Do you know that I have not been able to locate one (1) book on Amazon that teaches about that.  Plenty on ASP.NET, but nothing specific to .NET or its class library.  I wanted to get familiar with it at least so that when I need some type of calculated field, I can  have a jump ahead on solving it if I can recognize what class it might belong to.

Yesterday, I purchased the new 2nd edition of Learning PowerCLI.  (Loved seeing you listed as one of the authors.)  I've been pouring through the pages, trying to reach a better understanding of scripting not just for reporting, but configuring, deploying and a host of other stuff.  Sometimes, it can be a bit daunting, but I never quit; because this stuff is waaaasaayy too much fun.

Your script was right on the money.  Now I'm going to try doing the same for ALL the other 28 vCenters in our environment.  I recently put together a script which connects to each vCenter aggregately.  Now the question is "Do I go with that method, which will give me a list of permissions which I will then have to sort by vCenter and then the entity, Entity Type, Principal, Propagate and Role. OR?????

Do I put this within a for each loop and then the information prints out per vCenter as opposed to one huge mass? 

And I assume, hopefully correctly, is that to put it to CSV, I would go to the end of  your code, and a space or two and then the pipe and another space, then place the Export-CSV command afterwards and have it send the data as a file which I will name myself before letting it kick off right away  I'm leaning towards the latter choice because it calls for using that foreach statement that you've been trying to teach me about. I'm still intimidated by it, but I'm still practicing on it; till I get it right.

Thanks again for all of your help. 

Migs

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

if you want to handle multiple vCenters in one run, you should connect to all these vCenters before.

Then try like this

$report = foreach($vc in $global:DefaultVIServers){

    $si = Get-View ServiceInstance -Server $vc

    $authMgr = Get-View -Id $si.Content.AuthorizationManager-Server $vc

    $authMgr.RetrieveAllPermissions() |

    Select @{N='vCenter';E={$vc.Name}},

        @{N='Entity';E={Get-View -Id $_.Entity -Property Name -Server $vc | select -ExpandProperty Name}},

        @{N='Entity Type';E={$_.Entity.Type}},

        Principal,

        Propagate,

        @{N='Role';E={$perm = $_; ($authMgr.RoleList | where{$_.RoleId -eq $perm.RoleId}).Info.Label}}

}

$report | Export-Csv permissions.csv -NoTypeInformation -UseCulture


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

mvelezwhiteFFI
Contributor
Contributor
Jump to solution

You must get amazingly tired of me telling you just how awesome you are.  Thank you again.  I'm about to run an initial test on your iteration.  I was thinking that perhaps instead of doing something like:

Connect-VIServer VC-ABC

Connect-VIServer VC-DEF

Connect-VIServer VC-GHI...

I'm trying to determine a way (if there is one) to do this more efficiently.  There are two (2) ideas which come to mind, one is using hash tables.  I'm starting to get a little better with those, but I'm not sure if I should apply them here.  Another thought was to use JSON to create a file for the script to pull from.  I don't know why, but it just seems like putting down 25+ Connect-VIServer statements appears wasteful.  Am I overreaching on this?  In my old days of programming (i.e. COBOL, Clipper) it would be frowned upon to have those 'hard coded' into the program.  It seems to be a better idea to have the script grab an input file (using Hash tables or JSON).  That way, if anyone else ever needed something like that (especially now that 6.5 allows our colleagues to vMotion across vCenters), they could use the script and then they just put together there own input file.  That would appear to be making it reusable code.....I think.

Does that make sense?

It's been a long day and my work computer is functioning worse and worse.  (That's another story for another time.)  My eyes are deceiving me and my brain is trying to go on strike.  I've just placed an online order for some food from Pizza Hut in the hopes that it will help me make it through the next 3hrs and 13mins.

TAA (thanks as always),

Migs

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Lol :smileysilly:

Yes, you better store those vCenter names, and credentials eventually, in an external, well protected file.

There is a nice overview of the possibilities in Using saved credentials securely in PowerShell scripts


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

rellan1
Contributor
Contributor
Jump to solution

Could that script be modified to report on hosts, vms, datastores and network permissions placed on principals in a vsphere environment?

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Isn't that what the script is doing?
Or can you elaborate on what you mean?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
rellan1
Contributor
Contributor
Jump to solution

LucD

I apologize.  I overlooked what items were on the vcenter I ran the report on.  Your script works fine.  

Thanks, 

DR

Reply
0 Kudos
darkjester74a
Contributor
Contributor
Jump to solution

Thank you for this amazing script!  It does exactly what I need with one exception.  It seems to be pulling information from the top level of objects and not recursing down into folders.  I am auditing 3 vCenters and there are a number of folders which the script picks up, but not the hosts, VMs, and other objects inside those folders.  Is there any way to modify the script so it recurses down into those folders and pulls data from those objects as well?

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

The script only lists the explicit permissions, not the propagated ones.

To see all permissions on a specific entity, use the Get-VIPermission cmdlet with the Entity parameter.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos