Dave_Mac
Contributor
Contributor

LucD script to import vCenter Roles / Permissions

Jump to solution

After some great help from LucD I'm able to use one of his scripts to export our vCenter roles and permission hierarchy. We're having some problems though trying to import that data back in.

We're going off the script at:

http://www.virtu-al.net/2009/06/14/vsphere-permissions-export-import-part-2/

However, we're getting two errors.

First:

Exception calling "SetEntityPermissions" with "2" argument(s): "The requested change cannot be completetd because it could leave the system without full administrative privileges for a user or a group."

At Importpermissions.ps1:52 char 43

+ $perms = $authMgr.SetEntityPermissions <<< ($object.MoRef,@($permission))

+CategoryInfo :NotSpecified: (Smiley Happy [], MethodInvocationException

+FullyQualifiedErrorId : DotNetMethodException

Second:

Set-Permission : cannot process argument transformation on parameter 'object'.

Cannot convert the "System.Object" to type "VMware.Vim.ManagedEntity".

At Importpermissions.ps1:95 char:19

+ Set-Permission <<< $entity $perm

+CategoryInfo :InvalidData: (Smiley Happy , ParameterBind in...mationException

+FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-Permission

Anyone any ideas?

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership

This is the latest version of my "import" script.

Can you give a try ?

function New-Role
{
    param($name, $privIds)
    Begin{}
    Process{

        $roleId = $authMgr.AddAuthorizationRole($name,$privIds)
    }
    End{
        return $roleId
    }
}
function Set-Permission
{
param(
[http://VMware.Vim.ManagedEntity|http://VMware.Vim.ManagedEntity]$object,
[http://VMware.Vim.Permission|http://VMware.Vim.Permission]$permission
)
Begin{}
Process{
    $perms = $authMgr.SetEntityPermissions($object.MoRef,@($permission))
}
End{
    return
}
}

# Create hash table with the current roles
$authMgr = Get-View AuthorizationManager
$roleHash = @{}
$authMgr.RoleList | % {
    $roleHash[http://$_.Name|http://$_.Name] = $_.RoleId
}
# Read XML file
$XMLfile = “C:\vInventory.xml”
$vInventory = [xml]"<dummy/>"
$vInventory.Load($XMLfile)
# Define Xpaths for the roles and the permissions
$XpathRoles = “Inventory/Roles/Role”
$XpathPermissions = “Inventory/Permissions/Permission”
# Create custom roles
$vInventory.SelectNodes($XpathRoles) | % {
    if(-not $roleHash.ContainsKey($_.Name)){
        $privArray = @()
        $_.Privilege | % {
            $privArray += $_.Name
        }
        $roleHash[http://$_.Name|http://$_.Name] = (New-Role $_.Name $privArray)
    }
}
# Set permissions
$vInventory.SelectNodes($XpathPermissions) | % {
    $perm = New-Object VMware.Vim.Permission
    $perm.group = &{if ($_.Group -eq “true”) {$true} else {$false}}
    $perm.principal = $_.Principal
    $perm.propagate = &{if($_.Propagate -eq “true”) {$true} else {$false}}
    $perm.roleId = $roleHash[http://$_.Role|http://$_.Role]

    $EntityName = $_.Entity.Replace(“(“,“\(“).Replace(“)”,“\)”)
    $EntityName = $EntityName.Replace(“[","\[").Replace("]“,“\]”)
    $EntityName = $EntityName.Replace(“{“,“\{“).Replace(“}”,“\}”)

    $entity = Get-View -ViewType $_.EntityType -Filter @{“Name”=("^" + $EntityName + "$")}
    Set-Permission $entity $perm
}

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
11 Replies
LucD
Leadership
Leadership

This is the latest version of my "import" script.

Can you give a try ?

function New-Role
{
    param($name, $privIds)
    Begin{}
    Process{

        $roleId = $authMgr.AddAuthorizationRole($name,$privIds)
    }
    End{
        return $roleId
    }
}
function Set-Permission
{
param(
[http://VMware.Vim.ManagedEntity|http://VMware.Vim.ManagedEntity]$object,
[http://VMware.Vim.Permission|http://VMware.Vim.Permission]$permission
)
Begin{}
Process{
    $perms = $authMgr.SetEntityPermissions($object.MoRef,@($permission))
}
End{
    return
}
}

# Create hash table with the current roles
$authMgr = Get-View AuthorizationManager
$roleHash = @{}
$authMgr.RoleList | % {
    $roleHash[http://$_.Name|http://$_.Name] = $_.RoleId
}
# Read XML file
$XMLfile = “C:\vInventory.xml”
$vInventory = [xml]"<dummy/>"
$vInventory.Load($XMLfile)
# Define Xpaths for the roles and the permissions
$XpathRoles = “Inventory/Roles/Role”
$XpathPermissions = “Inventory/Permissions/Permission”
# Create custom roles
$vInventory.SelectNodes($XpathRoles) | % {
    if(-not $roleHash.ContainsKey($_.Name)){
        $privArray = @()
        $_.Privilege | % {
            $privArray += $_.Name
        }
        $roleHash[http://$_.Name|http://$_.Name] = (New-Role $_.Name $privArray)
    }
}
# Set permissions
$vInventory.SelectNodes($XpathPermissions) | % {
    $perm = New-Object VMware.Vim.Permission
    $perm.group = &{if ($_.Group -eq “true”) {$true} else {$false}}
    $perm.principal = $_.Principal
    $perm.propagate = &{if($_.Propagate -eq “true”) {$true} else {$false}}
    $perm.roleId = $roleHash[http://$_.Role|http://$_.Role]

    $EntityName = $_.Entity.Replace(“(“,“\(“).Replace(“)”,“\)”)
    $EntityName = $EntityName.Replace(“[","\[").Replace("]“,“\]”)
    $EntityName = $EntityName.Replace(“{“,“\{“).Replace(“}”,“\}”)

    $entity = Get-View -ViewType $_.EntityType -Filter @{“Name”=("^" + $EntityName + "$")}
    Set-Permission $entity $perm
}

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Dave_Mac
Contributor
Contributor

Cheers dude, I'll give that a try.

0 Kudos
vrm
Contributor
Contributor

Great script!!!

0 Kudos
DSeaman
Enthusiast
Enthusiast

These are great scripts, but when I run the import script I get the following error. The roles are imported though. Ideas?

--

Set-Permission : Cannot process argument transformation on parameter 'object'.

Cannot convert the "System.Object" to type "V

Mware.Vim.ManagedEntity".

At D:\import-xml-roles-permissions.ps1:64 char:19

+ Set-Permission <<<< $entity $perm

+ CategoryInfo : InvalidData: (Smiley Happy , ParameterBindin...mationException

+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-Permission

Derek Seaman
0 Kudos
vrm
Contributor
Contributor

-

0 Kudos
LucD
Leadership
Leadership

Did you use the attached script or did you copy it from your browser ?

The forum SW has problems with square brackets, that's why I attached the script.

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
DSeaman
Enthusiast
Enthusiast

I used the attached script.

Derek Seaman
0 Kudos
LucD
Leadership
Leadership

Do you know which "entity" the script was handling at the time of the error ?

Could you perhaps include part of the .xlm file ? The part where the faulty entity seems to be.

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
qwert1235
Enthusiast
Enthusiast

Luc,

Great script! Thanks a lot!

I am going to export roles/permissions from one VC by using your script from http://communities.vmware.com/thread/268411?tstart=0 and import to another by using this import script.

Everything is working great, but during the import I am getting errors like this:

Exception calling "SetEntityPermissions" with "2" argument(s): "entity"

At line:10 char:43

+ $perms = $authMgr.SetEntityPermissions <<<< ($object.MoRef,@($permission))

+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException

+ FullyQualifiedErrorId : DotNetMethodException

I think it's because not all of the objects from first VC (where I grabbed roles/permissions) exist on second VC.

How can I modify the script so it will check if the object is exist before apllying permissions to it?

Thanks a lot!

Update: never mind, I figure it out myself 🙂  

All I had to do is update last line of your script to:

if

($entity -ne $null) {Set-Permission $entity $perm}

Thanks again for such a great scripts!

0 Kudos
jkb5054
Contributor
Contributor

Hi all,

Great work LucD!

I am attempting to import from 4.1 to 5.0. I seem to be getting alot of two different errors:

Exception calling "AddAuthorizationRole" with "2" argument(s): "A specified par
ameter was not correct.
privIds"
At C:\Users\aa630d\Desktop\Scripts\ImportPermissions.ps1:9 char:48
+         $roleId = $authMgr.AddAuthorizationRole <<<< ($name,$privIds)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

AND

Exception calling "SetEntityPermissions" with "2" argument(s): "The object or i
tem referred to could not be found."
At C:\Users\aa630d\Desktop\Scripts\ImportPermissions.ps1:23 char:43
+     $perms = $authMgr.SetEntityPermissions <<<< ($object.MoRef,@($permission)
)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Any Ideas?

Has anyone successfully ported to 5.0 yet?

0 Kudos
Locoride
Contributor
Contributor

So I know this is an old post but thought it would probably be worth mentioning and maybe help some people.  The Export script worked great but every time I ran the import script I would get similar errors to what was reported by others. 

'object'. Cannot convert the "System.Object" to type "VMware.Vim.ManagedEntity".


I found with our vCenter we had multiple folders with same names under different locations (VM & Temp, Datastore and Hosts).  Because of this I kept seeing this error.  I found by changing the last line.

Set-Permission $entity $perm

to

foreach ($folder in $entity) { set-permission $folder $perm}

This fixed my problems.  Keep in mind it can create problems for you if you have different roles configured for the same folder in different locations.  For what I was doing it worked out great and I was able to import everything.

0 Kudos