Automation

 View Only

  • 1.  Import vCenter Permissions via XML

    Posted Feb 13, 2019 08:01 PM

    I am looking at Alan and LucD​'s import script for permissions in vCenter. I've used it in the past with no issues. I have been attempting to import permissions into my 6.7 vCenter, and have been receiving the following error:

    Get-View : Cannot validate argument on parameter 'ViewType'. Accepted types: ClusterComputeResource, ComputeResource, Datacenter, Datastore,

    DistributedVirtualPortgroup, DistributedVirtualSwitch, Folder, HostSystem, Network, OpaqueNetwork, ResourcePool, StoragePod, VirtualApp, VirtualMachine,

    VmwareDistributedVirtualSwitch

    At C:\vCenter_Permissions.ps1:231 char:34

    +     $entity = Get-View -ViewType $_.EntityType -Filter @{"Name"=("^"  ...

    +                                  ~~~~~~~~~~~~~

        + CategoryInfo          : InvalidData: (:) [Get-View], ParameterBindingValidationException

        + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.DotNetInterop.GetVIView

    Which corresponds to this line: $entity = Get-View -ViewType $_.EntityType -Filter @{"Name"=("^" + $EntityName + "$")}



  • 2.  RE: Import vCenter Permissions via XML

    Posted Feb 13, 2019 08:11 PM

    There must be something in the file under EntityType that doesn't appear in the list of accepted types.
    Can you check?
    Or point me to the actual scripts you use for import and export.



  • 3.  RE: Import vCenter Permissions via XML

    Posted Feb 13, 2019 08:36 PM

    Thank you for the quick reply LucD. Here are the scripts I am using:

    ###Export###
    $outputdir = "C:\Support\Roles\"
    # Root of the XML file
    $global:vInventory = [xml]"<Inventory></Inventory>"
    # Functions
    function New-XmlNode{
    param($node, $nodeName)
    $tmp = $global:vInventory.CreateElement($nodeName)
    $node.AppendChild($tmp)
    }
    function Set-XmlAttribute{
    param($node, $name, $value)
    $node.SetAttribute($name, $value)
    }
    function Get-XmlNode{
    param ($path)
    $global:vInventory.SelectNodes($path)
    }
    function Get-Roles{
      begin{
        $authMgr = Get-View AuthorizationManager
        $report = @()
      }
      process{
        foreach($role in $authMgr.roleList){
          $ret = New-Object PSObject
          $ret | Add-Member -Type noteproperty -Name "Name" -Value $role.name
          $ret | Add-Member -Type noteproperty -Name "Label" -Value $role.info.label
          $ret | Add-Member -Type noteproperty -Name "Summary" -Value $role.info.summary
          $ret | Add-Member -Type noteproperty -Name "RoleId" -Value $role.roleId
          $ret | Add-Member -Type noteproperty -Name "System" -Value $role.system
          $ret | Add-Member -Type noteproperty -Name "Privilege" -Value $role.privilege
          $report += $ret
        }
      }
      end{
        return $report
      }
    }
    function Get-Permissions
    {
      begin{
        $report = @()
        $authMgr = Get-View AuthorizationManager
        $roleHash = @{}
        $authMgr.RoleList | %{
          $roleHash[$_.RoleId] = $_.Name
        }
      }
      process{
        $perms = $authMgr.RetrieveAllPermissions()
        foreach($perm in $perms){
          $ret = New-Object PSObject
          $entity = Get-View $perm.Entity
          $ret | Add-Member -Type noteproperty -Name "Entity" -Value $entity.Name
          $ret | Add-Member -Type noteproperty -Name "EntityType" -Value $entity.gettype().Name
          $ret | Add-Member -Type noteproperty -Name "Group" -Value $perm.Group
          $ret | Add-Member -Type noteproperty -Name "Principal" -Value $perm.Principal
          $ret | Add-Member -Type noteproperty -Name "Propagate" -Value $perm.Propagate
          $ret | Add-Member -Type noteproperty -Name "Role" -Value $roleHash[$perm.RoleId]
          $report += $ret
        }
      }
      end{
        return $report
      }
    }
    $global:vInventory = [xml]"<Inventory><Roles/><Permissions/></Inventory>"
    # Main
    # Roles
      $XMLRoles = Get-XmlNode "Inventory/Roles"
    Get-Roles | where {-not $_.System} | % {
      $XMLRole = New-XmlNode $XMLRoles "Role"
      Set-XmlAttribute $XMLRole "Name" $_.Name
      Set-XmlAttribute $XMLRole "Label" $_.Label
      Set-XmlAttribute $XMLRole "Summary" $_.Summary
      $_.Privilege | % {
        $XMLPrivilege = New-XmlNode $XMLRole "Privilege"
        Set-XmlAttribute $XMLPrivilege "Name" $_
      }
    }
    # Permissions
    $XMLPermissions = Get-XmlNode "Inventory/Permissions"
    Get-Permissions | % {
      $XMLPerm = New-XmlNode $XMLPermissions "Permission"
      Set-XmlAttribute $XMLPerm "Entity" $_.Entity
      Set-XmlAttribute $XMLPerm "EntityType" $_.EntityType
      Set-XmlAttribute $XMLPerm "Group" $_.Group
      Set-XmlAttribute $XMLPerm "Principal" $_.Principal
      Set-XmlAttribute $XMLPerm "Propagate" $_.Propagate
      Set-XmlAttribute $XMLPerm "Role" $_.Role
    }
    # Create XML file
    $global:vInventory.Save($outputdir + "vcenter.xml")

    ###Import###
    # Functions
    function New-Role
    {
        param($name, $privIds)
        Begin{}
        Process{
            $roleId = $authMgr.AddAuthorizationRole($name,$privIds)
        }
        End{
            return $roleId
        }
    }
    function Set-Permission
    {
    param(
    [VMware.Vim.ManagedEntity]$object,
    [VMware.Vim.Permission]$permission
    )
    Begin{}
    Process{
        $perms = $authMgr.SetEntityPermissions($object.MoRef,@($permission))
    }
    End{
        return
    }
    }
    # Main
    # Create hash table with the current roles
    $authMgr = Get-View AuthorizationManager
    $roleHash = @{}
    $authMgr.RoleList | % {
        $roleHash[$_.Name] = $_.RoleId
    }
    # Read XML file
    $XMLfile = "C:\Support\Roles\vcenter.xml"
    $vInventory = [xml]"<dummy/>"
    $vInventory.Load($XMLfile)
    # Define Xpaths for the roles and the permissions
    $XpathRoles = "Inventory/Roles/Role"
    $XpathPermissions = "Inventory/Permissions/Permission"
    # Create custom roles
    $vInventory.SelectNodes($XpathRoles) | % {
        if(-not $roleHash.ContainsKey($_.Name)){
            $privArray = @()
            $_.Privilege | % {
                $privArray += $_.Name
            }
            $roleHash[$_.Name] = (New-Role $_.Name $privArray)
        }
    }
    # Set permissions
    $vInventory.SelectNodes($XpathPermissions) | % {
        $perm = New-Object VMware.Vim.Permission
        $perm.group = &{if ($_.Group -eq "true") {$true} else {$false}}
        $perm.principal = $_.Principal
        $perm.propagate = &{if($_.Propagate -eq "true") {$true} else {$false}}
        $perm.roleId = $roleHash[$_.Role]
        $EntityName = $_.Entity.Replace("(","\(").Replace(")","\)")
        $EntityName = $EntityName.Replace("[","\[").Replace("]","\]")
        $EntityName = $EntityName.Replace("{","\{").Replace("}","\}")
        $entity = Get-View -ViewType $_.EntityType -Filter @{"Name"=("^" + $EntityName + "$")}
        Set-Permission $entity $perm
    }


  • 4.  RE: Import vCenter Permissions via XML

    Posted Feb 13, 2019 08:50 PM

    Can you check what EntityType values are present in the XML file with the following snippet?

    $XMLfile = "C:\Support\Roles\vcenter.xml"

    $vInventory = [xml]"<dummy/>"

    $vInventory.Load($XMLfile)

    $vInventory.SelectNodes("Inventory/Permissions/Permission") |

      Select -ExpandProperty EntityType |

       Group-Object



  • 5.  RE: Import vCenter Permissions via XML

    Posted Feb 13, 2019 09:06 PM

    Here is the output I get:

    Count Name                      Group                                                                                                                                   

    ----- ----                      -----                                                                                                                                   

       26 Object[]                  {Object[], Object[], Object[], Object[]...}                                                                                             

        2 Datastore                 {Datastore, Datastore}                                                                                                                  

        2 ClusterComputeResource    {ClusterComputeResource, ClusterComputeResource}                                                                                        

        1 DistributedVirtualPort... {DistributedVirtualPortgroup}                                                                                                           

        1 Folder                    {Folder}                                                                                                                                

        1 VirtualMachine            {VirtualMachine}                                                                                                                        



  • 6.  RE: Import vCenter Permissions via XML

    Posted Feb 13, 2019 09:12 PM

    That 1st entry is most probably the culprit.
    Can find you it back in the XML file?

    Eliminate all the other entries, and what is left, is probably the one shown as object[]



  • 7.  RE: Import vCenter Permissions via XML

    Posted Feb 13, 2019 09:17 PM

    I'm seeing a lot of these in the XML file:

    <Permission Role="Admin" Propagate="True" Principal="VSPHERE.LOCAL\Administrator" Group="False" EntityType="Object[]" Entity="Datacenters Datacenters"/>
    <Permission Role="Admin" Propagate="True" Principal="VSPHERE.LOCAL\Administrator" Group="False" EntityType="Object[]" Entity="Datacenters Datacenters"/>
    <Permission Role="AutoUpdateUser" Propagate="True" Principal="VSPHERE.LOCAL\AutoUpdate" Group="True" EntityType="Object[]" Entity="Datacenters Datacenters"/>
    <Permission Role="Admin" Propagate="True" Principal="VSPHERE.LOCAL\Administrators" Group="True" EntityType="Object[]" Entity="Datacenters Datacenters"/>
    <Permission Role="Admin" Propagate="True" Principal="Lab\VMware_Admins" Group="True" EntityType="Object[]" Entity="Datacenters Datacenters"/>
    <Permission Role="ReadOnly" Propagate="True" Principal="Lab\Tier1" Group="True" EntityType="Object[]" Entity="Datacenters Datacenters"/>

    Of all the entries in my XML with EntityType="Object[]", they all appear to be for the Datacenters Entity only.



  • 8.  RE: Import vCenter Permissions via XML
    Best Answer

    Posted Feb 13, 2019 09:47 PM

    The fact that we see "Datacenters Datacenters" could mean that there are multiple connections open.

    Is there more than 1 entry in $global:DefaultVIServers when you run the export?



  • 9.  RE: Import vCenter Permissions via XML

    Posted Feb 13, 2019 10:00 PM

    Yes, that was it! In my testing, I more than likely did NOT kill my initial session prior to running the export. I started from scratch, and had a much better looking XML file to import from. Tested both export and import. Much thanks for your assistance LucD​.

    Output from $vInventory now:

    Count Name                      Group                                                                                                                                   

    ----- ----                      -----                                                                                                                                   

        2 Datastore                 {Datastore, Datastore}                                                                                                                  

        2 ClusterComputeResource    {ClusterComputeResource, ClusterComputeResource}                                                                                        

        1 DistributedVirtualPort... {DistributedVirtualPortgroup}                                                                                                           

       15 Folder                    {Folder, Folder, Folder, Folder...}                                                                                                     

        1 VirtualMachine            {VirtualMachine}