I need a script to list out all of the VC Roles, the Users/Groups assigned to the role and the object the role is assigned to. I only want to list out the objects that have a role assigned to them. Also I would like to be able to export this info into a csv if possible. If anyone has a script already prepared that can do this it would be very helpful. I was looking for some sort of get-permission or get-vmpermission cmdlet to accomplish this but cant seem to find anything. Any help would be great.
Thanks
Jason
Get-Permissions is a filter I wrote, see the script in .
I didn't repeat it in this thread.
The sample line I gave was only a new version of the last line of the script in to show how to export the result to a CSV file.
The -Useculture parameter is new in PowerShell in v2. Sorry should have left this out.
I use it because it solves the problem we had in PS v1 with the separator.
By default the separator is a comma, but in our regional settings it is defined as semi-column.
Without the -Useculture parameter the Export-Csv cmdlet always uses a comma, with that parameter it takes the separator defined in the regional settings.
To your last question, yes, you can limit the scope of the Get-Onventory cmdlet with the -Location parameter.
If you, for example, only want a report for a specific datacenter, you can do
Get-Inventory -Location (Get-Datacenter <datacenter-name>) | Get-Permissions | Export-Csv -Path "C:\permissions.csv" -NoTypeInformation
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Did you have a look at ?
To export the results to a CSV you can change the last line like this
Get-Inventory | Get-Permissions | Export-Csv -Path "C:\permissions.csv" -UseCulture -NoTypeInformation
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Where did you find the Get-Permissions cmdlet? I dont have it listed as a known cmdlet. What is the -UseCulture syntax for? When I view the help for Export-CSV I dont see it available.
Had not seen that post, but it appears to be what I am looking for. One question, is there anyway to run this against a specific datacentere or cluster, instead of the entire VC? Thanks for the help Luc.
Get-Permissions is a filter I wrote, see the script in .
I didn't repeat it in this thread.
The sample line I gave was only a new version of the last line of the script in to show how to export the result to a CSV file.
The -Useculture parameter is new in PowerShell in v2. Sorry should have left this out.
I use it because it solves the problem we had in PS v1 with the separator.
By default the separator is a comma, but in our regional settings it is defined as semi-column.
Without the -Useculture parameter the Export-Csv cmdlet always uses a comma, with that parameter it takes the separator defined in the regional settings.
To your last question, yes, you can limit the scope of the Get-Onventory cmdlet with the -Location parameter.
If you, for example, only want a report for a specific datacenter, you can do
Get-Inventory -Location (Get-Datacenter <datacenter-name>) | Get-Permissions | Export-Csv -Path "C:\permissions.csv" -NoTypeInformation
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks once again LucD, that worked just the way I needed it to.
One last thing, because our environment is rather large it takes this script around 30-40mins to run. Is it possible to add a progress bar so that I know the script is still running and not in a infinite loop? Thanks for the help.
If you don't want any fancy graphical stuff, you can use PowerShell's Write-Progress cmdlet.
An example:
$VMs= Get-VM Write-Progress -id 1 -percentComplete 0 -activity "Get status guests" -status "Started" $i = 0 foreach($vm in $VMs){ Get-VMGuest -VM $vm | Select-Object VmName, State $i++ Write-Progress -id 1 -percentComplete ($i / $VMs.Count * 100) -activity "Get status guests" -status "Running" } Write-Progress -id 1 -completed -activity "Get status guests" -status "Completed"
Note that this is an example and doesn't constitute the fastest method for obtaining the status of all guests!
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
LucD,
This script to dump the roles and permissions (VI-obj-role-princip-report.ps1) is very, very slow (hours to run) in my environment. Much like what has already been posted, is there a faster way to get this information? Bascially something that would dump the same information shown on the Administration view / roles tab? Just dump the roles and what they are applied to?
I'm looking for something faster so I can include it into a general report that runs daily. I have successful logins, failed logins, new VM's and this is the final piece to add.
After a quick run through the script I was able to bring the execution time down with +/- 65% (in my environment) with the following version.
filter Get-Permissions{ $object = Get-View -Id $_.ID if($object.Name -ne "vm" -and $object.Name -ne "host"){ $perms = $authMgr.RetrieveEntityPermissions($object.MoRef, $false) if($perms.Count -gt 0){ $path = get-path $object foreach($perm in $perms){ foreach($role in $authMgr.RoleList){ if($role.RoleId -eq $perm.RoleId){ $row = "" | select roleName, objName, principalName $row.roleName = $role.Name $row.objName = $path $row.principalName = $perm.Principal $row } } } } } } function get-path($entity){ $path = $entity.Name while($entity.Parent -ne $null){ $entity = Get-View -Id $entity.Parent if($entity.Name -ne "vm" -and $entity.Name -ne "host"){ $path = $entity.Name + "\" + $path } } return $path } $authMgr = Get-View AuthorizationManager Get-Inventory | Get-Permissions
This new version only calls the Get-Path function for objects on which permissions have been set.
But it still not lightning fast !
We could use a PowerShell profiler tool to tackle these kind of optimisations.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Awesome! That works much better!
Thanks!
this one works too: http://www.vmwarescripting.com/index.php?topic=266.0
Function Get-Path($entity){ $path = $entity.Name while($entity.Parent -ne $null){ $entity = Get-View -Id $entity.Parent if($entity.Name -ne "vm" -and $entity.Name -ne "host"){ $path = $entity.Name + "\" + $path } } $path } $si = Get-View ServiceInstance $am = Get-View $si.Content.AuthorizationManager $roleList = $am.RoleList # Create the role map $roleMap = @{} # Add the roles to the map foreach ($role in $roleList) { $roleMap[http://$role.RoleId|http://$role.RoleId] = $role } $permissions = $am.RetrieveAllPermissions() # Foreach permission foreach ($permission in $permissions) { $roleName = $roleMap[http://$permission.RoleId|http://$permission.RoleId].Name $entityView = Get-View $permission.Entity $permission | Select-Object @{Name="Principal"; Expression={$permission.Principal}}, @{Name="RoleName"; Expression={$roleName}}, @{Name="Object"; Expression={Get-Path $entityView}} }
Awesome! This one is even faster! Thanks!
I really must be doing something wrong here, the ISE doesn't appear to like the characters "\" and the few scripts I've played about with that have this error with:
The String starting: ...... is missing the terminator: ".
Should anything be escaped in these scripts?
Are you using the script from esarakaitis ?
If yes, it's the forum SW that is messing with square brackets.
Follow the link in his post and get the script from there.
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference