After some great help from LucD I'm able to use one of his scripts to export our vCenter roles and permission hierarchy. We're having some problems though trying to import that data back in.
We're going off the script at:
http://www.virtu-al.net/2009/06/14/vsphere-permissions-export-import-part-2/
However, we're getting two errors.
First:
Exception calling "SetEntityPermissions" with "2" argument(s): "The requested change cannot be completetd because it could leave the system without full administrative privileges for a user or a group."
At Importpermissions.ps1:52 char 43
+ $perms = $authMgr.SetEntityPermissions <<< ($object.MoRef,@($permission))
+CategoryInfo :NotSpecified: ( [], MethodInvocationException
+FullyQualifiedErrorId : DotNetMethodException
Second:
Set-Permission : cannot process argument transformation on parameter 'object'.
Cannot convert the "System.Object" to type "VMware.Vim.ManagedEntity".
At Importpermissions.ps1:95 char:19
+ Set-Permission <<< $entity $perm
+CategoryInfo :InvalidData: ( , ParameterBind in...mationException
+FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-Permission
Anyone any ideas?
This is the latest version of my "import" script.
Can you give a try ?
function New-Role { param($name, $privIds) Begin{} Process{ $roleId = $authMgr.AddAuthorizationRole($name,$privIds) } End{ return $roleId } } function Set-Permission { param( [http://VMware.Vim.ManagedEntity|http://VMware.Vim.ManagedEntity]$object, [http://VMware.Vim.Permission|http://VMware.Vim.Permission]$permission ) Begin{} Process{ $perms = $authMgr.SetEntityPermissions($object.MoRef,@($permission)) } End{ return } } # Create hash table with the current roles $authMgr = Get-View AuthorizationManager $roleHash = @{} $authMgr.RoleList | % { $roleHash[http://$_.Name|http://$_.Name] = $_.RoleId } # Read XML file $XMLfile = “C:\vInventory.xml” $vInventory = [xml]"<dummy/>" $vInventory.Load($XMLfile) # Define Xpaths for the roles and the permissions $XpathRoles = “Inventory/Roles/Role” $XpathPermissions = “Inventory/Permissions/Permission” # Create custom roles $vInventory.SelectNodes($XpathRoles) | % { if(-not $roleHash.ContainsKey($_.Name)){ $privArray = @() $_.Privilege | % { $privArray += $_.Name } $roleHash[http://$_.Name|http://$_.Name] = (New-Role $_.Name $privArray) } } # Set permissions $vInventory.SelectNodes($XpathPermissions) | % { $perm = New-Object VMware.Vim.Permission $perm.group = &{if ($_.Group -eq “true”) {$true} else {$false}} $perm.principal = $_.Principal $perm.propagate = &{if($_.Propagate -eq “true”) {$true} else {$false}} $perm.roleId = $roleHash[http://$_.Role|http://$_.Role] $EntityName = $_.Entity.Replace(“(“,“\(“).Replace(“)”,“\)”) $EntityName = $EntityName.Replace(“[","\[").Replace("]“,“\]”) $EntityName = $EntityName.Replace(“{“,“\{“).Replace(“}”,“\}”) $entity = Get-View -ViewType $_.EntityType -Filter @{“Name”=("^" + $EntityName + "$")} Set-Permission $entity $perm }
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
This is the latest version of my "import" script.
Can you give a try ?
function New-Role { param($name, $privIds) Begin{} Process{ $roleId = $authMgr.AddAuthorizationRole($name,$privIds) } End{ return $roleId } } function Set-Permission { param( [http://VMware.Vim.ManagedEntity|http://VMware.Vim.ManagedEntity]$object, [http://VMware.Vim.Permission|http://VMware.Vim.Permission]$permission ) Begin{} Process{ $perms = $authMgr.SetEntityPermissions($object.MoRef,@($permission)) } End{ return } } # Create hash table with the current roles $authMgr = Get-View AuthorizationManager $roleHash = @{} $authMgr.RoleList | % { $roleHash[http://$_.Name|http://$_.Name] = $_.RoleId } # Read XML file $XMLfile = “C:\vInventory.xml” $vInventory = [xml]"<dummy/>" $vInventory.Load($XMLfile) # Define Xpaths for the roles and the permissions $XpathRoles = “Inventory/Roles/Role” $XpathPermissions = “Inventory/Permissions/Permission” # Create custom roles $vInventory.SelectNodes($XpathRoles) | % { if(-not $roleHash.ContainsKey($_.Name)){ $privArray = @() $_.Privilege | % { $privArray += $_.Name } $roleHash[http://$_.Name|http://$_.Name] = (New-Role $_.Name $privArray) } } # Set permissions $vInventory.SelectNodes($XpathPermissions) | % { $perm = New-Object VMware.Vim.Permission $perm.group = &{if ($_.Group -eq “true”) {$true} else {$false}} $perm.principal = $_.Principal $perm.propagate = &{if($_.Propagate -eq “true”) {$true} else {$false}} $perm.roleId = $roleHash[http://$_.Role|http://$_.Role] $EntityName = $_.Entity.Replace(“(“,“\(“).Replace(“)”,“\)”) $EntityName = $EntityName.Replace(“[","\[").Replace("]“,“\]”) $EntityName = $EntityName.Replace(“{“,“\{“).Replace(“}”,“\}”) $entity = Get-View -ViewType $_.EntityType -Filter @{“Name”=("^" + $EntityName + "$")} Set-Permission $entity $perm }
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Cheers dude, I'll give that a try.
Great script!!!
These are great scripts, but when I run the import script I get the following error. The roles are imported though. Ideas?
--
Set-Permission : Cannot process argument transformation on parameter 'object'.
Cannot convert the "System.Object" to type "V
Mware.Vim.ManagedEntity".
At D:\import-xml-roles-permissions.ps1:64 char:19
+ Set-Permission <<<< $entity $perm
+ CategoryInfo : InvalidData: ( , ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-Permission
-
Did you use the attached script or did you copy it from your browser ?
The forum SW has problems with square brackets, that's why I attached the script.
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I used the attached script.
Do you know which "entity" the script was handling at the time of the error ?
Could you perhaps include part of the .xlm file ? The part where the faulty entity seems to be.
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Luc,
Great script! Thanks a lot!
I am going to export roles/permissions from one VC by using your script from http://communities.vmware.com/thread/268411?tstart=0 and import to another by using this import script.
Everything is working great, but during the import I am getting errors like this:
Exception calling "SetEntityPermissions" with "2" argument(s): "entity"
At line:10 char:43
+ $perms = $authMgr.SetEntityPermissions <<<< ($object.MoRef,@($permission))
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
I think it's because not all of the objects from first VC (where I grabbed roles/permissions) exist on second VC.
How can I modify the script so it will check if the object is exist before apllying permissions to it?
Thanks a lot!
Update: never mind, I figure it out myself 🙂
All I had to do is update last line of your script to:
if
($entity -ne $null) {Set-Permission $entity $perm}
Thanks again for such a great scripts!
Hi all,
Great work LucD!
I am attempting to import from 4.1 to 5.0. I seem to be getting alot of two different errors:
Exception calling "AddAuthorizationRole" with "2" argument(s): "A specified par
ameter was not correct.
privIds"
At C:\Users\aa630d\Desktop\Scripts\ImportPermissions.ps1:9 char:48
+ $roleId = $authMgr.AddAuthorizationRole <<<< ($name,$privIds)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
AND
Exception calling "SetEntityPermissions" with "2" argument(s): "The object or i
tem referred to could not be found."
At C:\Users\aa630d\Desktop\Scripts\ImportPermissions.ps1:23 char:43
+ $perms = $authMgr.SetEntityPermissions <<<< ($object.MoRef,@($permission)
)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Any Ideas?
Has anyone successfully ported to 5.0 yet?
So I know this is an old post but thought it would probably be worth mentioning and maybe help some people. The Export script worked great but every time I ran the import script I would get similar errors to what was reported by others.
'object'. Cannot convert the "System.Object" to type "VMware.Vim.ManagedEntity".
I found with our vCenter we had multiple folders with same names under different locations (VM & Temp, Datastore and Hosts). Because of this I kept seeing this error. I found by changing the last line.
Set-Permission $entity $perm
to
foreach ($folder in $entity) { set-permission $folder $perm}
This fixed my problems. Keep in mind it can create problems for you if you have different roles configured for the same folder in different locations. For what I was doing it worked out great and I was able to import everything.