elihuj
Enthusiast
Enthusiast

Import vCenter Permissions via XML

Jump to solution

I am looking at Alan and LucD​'s import script for permissions in vCenter. I've used it in the past with no issues. I have been attempting to import permissions into my 6.7 vCenter, and have been receiving the following error:

Get-View : Cannot validate argument on parameter 'ViewType'. Accepted types: ClusterComputeResource, ComputeResource, Datacenter, Datastore,

DistributedVirtualPortgroup, DistributedVirtualSwitch, Folder, HostSystem, Network, OpaqueNetwork, ResourcePool, StoragePod, VirtualApp, VirtualMachine,

VmwareDistributedVirtualSwitch

At C:\vCenter_Permissions.ps1:231 char:34

+     $entity = Get-View -ViewType $_.EntityType -Filter @{"Name"=("^"  ...

+                                  ~~~~~~~~~~~~~

    + CategoryInfo          : InvalidData: (:) [Get-View], ParameterBindingValidationException

    + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.DotNetInterop.GetVIView

Which corresponds to this line: $entity = Get-View -ViewType $_.EntityType -Filter @{"Name"=("^" + $EntityName + "$")}

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership

The fact that we see "Datacenters Datacenters" could mean that there are multiple connections open.

Is there more than 1 entry in $global:DefaultVIServers when you run the export?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
8 Replies
LucD
Leadership
Leadership

There must be something in the file under EntityType that doesn't appear in the list of accepted types.
Can you check?
Or point me to the actual scripts you use for import and export.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
elihuj
Enthusiast
Enthusiast

Thank you for the quick reply LucD. Here are the scripts I am using:

###Export###

$outputdir = "C:\Support\Roles\"

# Root of the XML file

$global:vInventory = [xml]"<Inventory></Inventory>"

# Functions

function New-XmlNode{

param($node, $nodeName)

$tmp = $global:vInventory.CreateElement($nodeName)

$node.AppendChild($tmp)

}

function Set-XmlAttribute{

param($node, $name, $value)

$node.SetAttribute($name, $value)

}

function Get-XmlNode{

param ($path)

$global:vInventory.SelectNodes($path)

}

function Get-Roles{

  begin{

    $authMgr = Get-View AuthorizationManager

    $report = @()

  }

  process{

    foreach($role in $authMgr.roleList){

      $ret = New-Object PSObject

      $ret | Add-Member -Type noteproperty -Name "Name" -Value $role.name

      $ret | Add-Member -Type noteproperty -Name "Label" -Value $role.info.label

      $ret | Add-Member -Type noteproperty -Name "Summary" -Value $role.info.summary

      $ret | Add-Member -Type noteproperty -Name "RoleId" -Value $role.roleId

      $ret | Add-Member -Type noteproperty -Name "System" -Value $role.system

      $ret | Add-Member -Type noteproperty -Name "Privilege" -Value $role.privilege

      $report += $ret

    }

  }

  end{

    return $report

  }

}

function Get-Permissions

{

  begin{

    $report = @()

    $authMgr = Get-View AuthorizationManager

    $roleHash = @{}

    $authMgr.RoleList | %{

      $roleHash[$_.RoleId] = $_.Name

    }

  }

  process{

    $perms = $authMgr.RetrieveAllPermissions()

    foreach($perm in $perms){

      $ret = New-Object PSObject

      $entity = Get-View $perm.Entity

      $ret | Add-Member -Type noteproperty -Name "Entity" -Value $entity.Name

      $ret | Add-Member -Type noteproperty -Name "EntityType" -Value $entity.gettype().Name

      $ret | Add-Member -Type noteproperty -Name "Group" -Value $perm.Group

      $ret | Add-Member -Type noteproperty -Name "Principal" -Value $perm.Principal

      $ret | Add-Member -Type noteproperty -Name "Propagate" -Value $perm.Propagate

      $ret | Add-Member -Type noteproperty -Name "Role" -Value $roleHash[$perm.RoleId]

      $report += $ret

    }

  }

  end{

    return $report

  }

}

$global:vInventory = [xml]"<Inventory><Roles/><Permissions/></Inventory>"

# Main

# Roles

  $XMLRoles = Get-XmlNode "Inventory/Roles"

Get-Roles | where {-not $_.System} | % {

  $XMLRole = New-XmlNode $XMLRoles "Role"

  Set-XmlAttribute $XMLRole "Name" $_.Name

  Set-XmlAttribute $XMLRole "Label" $_.Label

  Set-XmlAttribute $XMLRole "Summary" $_.Summary

  $_.Privilege | % {

    $XMLPrivilege = New-XmlNode $XMLRole "Privilege"

    Set-XmlAttribute $XMLPrivilege "Name" $_

  }

}

# Permissions

$XMLPermissions = Get-XmlNode "Inventory/Permissions"

Get-Permissions | % {

  $XMLPerm = New-XmlNode $XMLPermissions "Permission"

  Set-XmlAttribute $XMLPerm "Entity" $_.Entity

  Set-XmlAttribute $XMLPerm "EntityType" $_.EntityType

  Set-XmlAttribute $XMLPerm "Group" $_.Group

  Set-XmlAttribute $XMLPerm "Principal" $_.Principal

  Set-XmlAttribute $XMLPerm "Propagate" $_.Propagate

  Set-XmlAttribute $XMLPerm "Role" $_.Role

}

# Create XML file

$global:vInventory.Save($outputdir + "vcenter.xml")

###Import###

# Functions

function New-Role

{

    param($name, $privIds)

    Begin{}

    Process{

        $roleId = $authMgr.AddAuthorizationRole($name,$privIds)

    }

    End{

        return $roleId

    }

}

function Set-Permission

{

param(

[VMware.Vim.ManagedEntity]$object,

[VMware.Vim.Permission]$permission

)

Begin{}

Process{

    $perms = $authMgr.SetEntityPermissions($object.MoRef,@($permission))

}

End{

    return

}

}

# Main

# Create hash table with the current roles

$authMgr = Get-View AuthorizationManager

$roleHash = @{}

$authMgr.RoleList | % {

    $roleHash[$_.Name] = $_.RoleId

}

# Read XML file

$XMLfile = "C:\Support\Roles\vcenter.xml"

$vInventory = [xml]"<dummy/>"

$vInventory.Load($XMLfile)

# Define Xpaths for the roles and the permissions

$XpathRoles = "Inventory/Roles/Role"

$XpathPermissions = "Inventory/Permissions/Permission"

# Create custom roles

$vInventory.SelectNodes($XpathRoles) | % {

    if(-not $roleHash.ContainsKey($_.Name)){

        $privArray = @()

        $_.Privilege | % {

            $privArray += $_.Name

        }

        $roleHash[$_.Name] = (New-Role $_.Name $privArray)

    }

}

# Set permissions

$vInventory.SelectNodes($XpathPermissions) | % {

    $perm = New-Object VMware.Vim.Permission

    $perm.group = &{if ($_.Group -eq "true") {$true} else {$false}}

    $perm.principal = $_.Principal

    $perm.propagate = &{if($_.Propagate -eq "true") {$true} else {$false}}

    $perm.roleId = $roleHash[$_.Role]

    $EntityName = $_.Entity.Replace("(","\(").Replace(")","\)")

    $EntityName = $EntityName.Replace("[","\[").Replace("]","\]")

    $EntityName = $EntityName.Replace("{","\{").Replace("}","\}")

    $entity = Get-View -ViewType $_.EntityType -Filter @{"Name"=("^" + $EntityName + "$")}

    Set-Permission $entity $perm

}

0 Kudos
LucD
Leadership
Leadership

Can you check what EntityType values are present in the XML file with the following snippet?

$XMLfile = "C:\Support\Roles\vcenter.xml"

$vInventory = [xml]"<dummy/>"

$vInventory.Load($XMLfile)

$vInventory.SelectNodes("Inventory/Permissions/Permission") |

  Select -ExpandProperty EntityType |

   Group-Object


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
elihuj
Enthusiast
Enthusiast

Here is the output I get:

Count Name                      Group                                                                                                                                   

----- ----                      -----                                                                                                                                   

   26 Object[]                  {Object[], Object[], Object[], Object[]...}                                                                                             

    2 Datastore                 {Datastore, Datastore}                                                                                                                  

    2 ClusterComputeResource    {ClusterComputeResource, ClusterComputeResource}                                                                                        

    1 DistributedVirtualPort... {DistributedVirtualPortgroup}                                                                                                           

    1 Folder                    {Folder}                                                                                                                                

    1 VirtualMachine            {VirtualMachine}                                                                                                                        

0 Kudos
LucD
Leadership
Leadership

That 1st entry is most probably the culprit.
Can find you it back in the XML file?

Eliminate all the other entries, and what is left, is probably the one shown as object[]


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
elihuj
Enthusiast
Enthusiast

I'm seeing a lot of these in the XML file:

<Permission Role="Admin" Propagate="True" Principal="VSPHERE.LOCAL\Administrator" Group="False" EntityType="Object[]" Entity="Datacenters Datacenters"/>

<Permission Role="Admin" Propagate="True" Principal="VSPHERE.LOCAL\Administrator" Group="False" EntityType="Object[]" Entity="Datacenters Datacenters"/>

<Permission Role="AutoUpdateUser" Propagate="True" Principal="VSPHERE.LOCAL\AutoUpdate" Group="True" EntityType="Object[]" Entity="Datacenters Datacenters"/>

<Permission Role="Admin" Propagate="True" Principal="VSPHERE.LOCAL\Administrators" Group="True" EntityType="Object[]" Entity="Datacenters Datacenters"/>

<Permission Role="Admin" Propagate="True" Principal="Lab\VMware_Admins" Group="True" EntityType="Object[]" Entity="Datacenters Datacenters"/>

<Permission Role="ReadOnly" Propagate="True" Principal="Lab\Tier1" Group="True" EntityType="Object[]" Entity="Datacenters Datacenters"/>

Of all the entries in my XML with EntityType="Object[]", they all appear to be for the Datacenters Entity only.

0 Kudos
LucD
Leadership
Leadership

The fact that we see "Datacenters Datacenters" could mean that there are multiple connections open.

Is there more than 1 entry in $global:DefaultVIServers when you run the export?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
elihuj
Enthusiast
Enthusiast

Yes, that was it! In my testing, I more than likely did NOT kill my initial session prior to running the export. I started from scratch, and had a much better looking XML file to import from. Tested both export and import. Much thanks for your assistance LucD​.

Output from $vInventory now:

Count Name                      Group                                                                                                                                   

----- ----                      -----                                                                                                                                   

    2 Datastore                 {Datastore, Datastore}                                                                                                                  

    2 ClusterComputeResource    {ClusterComputeResource, ClusterComputeResource}                                                                                        

    1 DistributedVirtualPort... {DistributedVirtualPortgroup}                                                                                                           

   15 Folder                    {Folder, Folder, Folder, Folder...}                                                                                                     

    1 VirtualMachine            {VirtualMachine}                                                                                                                        

0 Kudos