Is it possible to do get-vm & power functions with a user that has a limited privileges role access at a VM & Templates folder only? I seem to be only able to get it working if there's at-least read-only with propagate rights at Root or Datacenter object level.
I have a role, named Minimal, that can only start/stop VMs.
It has the following privileges (the first 3 are added by default).
Once the role is created, you can add a permission to the user on the root folder, aka Datacenters.
New-VIRole -Name Minimal -Privilege 'Power on','Power off'
New-VIPermission -Entity (Get-Folder -Name Datacenters) -Principal 'domain\user' -Role Minimal
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Luc,
Thanks for the reply. Sorry I may have been unclear. I'm trying to avoid giving permissions to the root or the datacenter objects. I'm attempting to just give permission to a specific folder in VMs & Templates view.
Then you would need to change the Entity parameter with the folder(s) to which you want to restrict the user.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I'm not sure I follow. Change the Entity parameter?
Oh, the Entity parameter during the Get-VM. Okay, I'm with you now. Let me give that a shot.
You give the permission, with the minimal role, on the folder to which you want to restrict the user.
Something like this
$folder = Get-Folder -Name 'MyFolder'
New-VIPermission -Entity $folder -Principal 'domain\user' -Role Minimal
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hehe okay, this is on me for poorly describing. I'm not looking for how to use powershell to create a role/permission at a folder. I already have the minimal permission set to the folder. What I'm trying to do is that when the minimal permission is only at the VM & Templates view folder level, use powershell to run a Get-VM to power manage it. But it's not working when the permission is only at the VM folder level.
Strange, that seems to be working for me.
I set the permission, with the minimla role, on a VM and Templates folder, named MyFolder.
The user can only do a Get-VM for VMs in that specific folder, and he can start/stop those VMs.
Could be that I'm completely misunderstanding your question.
Perhaps a picture with annotation would help 🙂
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
LOL Pictures usually do. But alas, I just figured it out.
When I only apply the minimal role at the VM folder, doing a 'Get-VM <vnmame>' returns nothing. However, if I simply do a 'Get-Datacenter | Get-VM <vmname>' it works. Not sure why that is, but I'll take it.
That shouldn't be required, unless you have multiple folders with the same name.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Ah-- that could be it then. Multiple external PSCs (single SSO domain) and multiple connected vcenters and multiple duplicate folder names. This is for a custom citrix VM power management role and we have many "Citrix" folders throughout the environment.
Then Folder By Path might come in handy :smileygrin:
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference