jasonrobinson
Enthusiast
Enthusiast

Script to export VC Roles/Permissions/Objects

Jump to solution

I need a script to list out all of the VC Roles, the Users/Groups assigned to the role and the object the role is assigned to. I only want to list out the objects that have a role assigned to them. Also I would like to be able to export this info into a csv if possible. If anyone has a script already prepared that can do this it would be very helpful. I was looking for some sort of get-permission or get-vmpermission cmdlet to accomplish this but cant seem to find anything. Any help would be great.

Thanks

Jason

Jason @jrob24
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership

Get-Permissions is a filter I wrote, see the script in .

I didn't repeat it in this thread.

The sample line I gave was only a new version of the last line of the script in to show how to export the result to a CSV file.

The -Useculture parameter is new in PowerShell in v2. Sorry should have left this out. Smiley Sad

I use it because it solves the problem we had in PS v1 with the separator.

By default the separator is a comma, but in our regional settings it is defined as semi-column.

Without the -Useculture parameter the Export-Csv cmdlet always uses a comma, with that parameter it takes the separator defined in the regional settings.

To your last question, yes, you can limit the scope of the Get-Onventory cmdlet with the -Location parameter.

If you, for example, only want a report for a specific datacenter, you can do

Get-Inventory -Location (Get-Datacenter <datacenter-name>) | Get-Permissions | Export-Csv -Path "C:\permissions.csv" -NoTypeInformation


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
13 Replies
LucD
Leadership
Leadership

Did you have a look at ?

To export the results to a CSV you can change the last line like this

Get-Inventory | Get-Permissions | Export-Csv -Path "C:\permissions.csv" -UseCulture -NoTypeInformation


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
jasonrobinson
Enthusiast
Enthusiast

Where did you find the Get-Permissions cmdlet? I dont have it listed as a known cmdlet. What is the -UseCulture syntax for? When I view the help for Export-CSV I dont see it available.

Had not seen that post, but it appears to be what I am looking for. One question, is there anyway to run this against a specific datacentere or cluster, instead of the entire VC? Thanks for the help Luc.

Jason @jrob24
0 Kudos
LucD
Leadership
Leadership

Get-Permissions is a filter I wrote, see the script in .

I didn't repeat it in this thread.

The sample line I gave was only a new version of the last line of the script in to show how to export the result to a CSV file.

The -Useculture parameter is new in PowerShell in v2. Sorry should have left this out. Smiley Sad

I use it because it solves the problem we had in PS v1 with the separator.

By default the separator is a comma, but in our regional settings it is defined as semi-column.

Without the -Useculture parameter the Export-Csv cmdlet always uses a comma, with that parameter it takes the separator defined in the regional settings.

To your last question, yes, you can limit the scope of the Get-Onventory cmdlet with the -Location parameter.

If you, for example, only want a report for a specific datacenter, you can do

Get-Inventory -Location (Get-Datacenter <datacenter-name>) | Get-Permissions | Export-Csv -Path "C:\permissions.csv" -NoTypeInformation


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
jasonrobinson
Enthusiast
Enthusiast

Thanks once again LucD, that worked just the way I needed it to.

Jason @jrob24
0 Kudos
jasonrobinson
Enthusiast
Enthusiast

One last thing, because our environment is rather large it takes this script around 30-40mins to run. Is it possible to add a progress bar so that I know the script is still running and not in a infinite loop? Thanks for the help.

Jason @jrob24
0 Kudos
LucD
Leadership
Leadership

If you don't want any fancy graphical stuff, you can use PowerShell's Write-Progress cmdlet.

An example:

$VMs= Get-VM
Write-Progress -id 1 -percentComplete 0 -activity "Get status guests" -status "Started"
$i = 0
foreach($vm in $VMs){
  Get-VMGuest -VM $vm | Select-Object VmName, State
  $i++
  Write-Progress -id 1 -percentComplete ($i / $VMs.Count * 100) -activity "Get status guests" -status "Running"
}
Write-Progress -id 1 -completed -activity "Get status guests" -status "Completed"

Note that this is an example and doesn't constitute the fastest method for obtaining the status of all guests!


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
wingnut76
Contributor
Contributor

LucD,

This script to dump the roles and permissions (VI-obj-role-princip-report.ps1) is very, very slow (hours to run) in my environment. Much like what has already been posted, is there a faster way to get this information? Bascially something that would dump the same information shown on the Administration view / roles tab? Just dump the roles and what they are applied to?

I'm looking for something faster so I can include it into a general report that runs daily. I have successful logins, failed logins, new VM's and this is the final piece to add.

0 Kudos
LucD
Leadership
Leadership

After a quick run through the script I was able to bring the execution time down with +/- 65% (in my environment) with the following version.

filter Get-Permissions{
	$object = Get-View -Id $_.ID
	if($object.Name -ne "vm" -and $object.Name -ne "host"){
		$perms = $authMgr.RetrieveEntityPermissions($object.MoRef, $false)

		if($perms.Count -gt 0){
		    $path = get-path $object
			foreach($perm in $perms){
				foreach($role in $authMgr.RoleList){
                                   if($role.RoleId -eq $perm.RoleId){
                                      $row = "" | select roleName, objName, principalName
					$row.roleName = $role.Name
					$row.objName = $path
					$row.principalName = $perm.Principal
					$row
				  }
				}
			}
		}
	}
}

function get-path($entity){
	$path = $entity.Name
	while($entity.Parent -ne $null){
		$entity = Get-View -Id $entity.Parent
		if($entity.Name -ne "vm" -and $entity.Name -ne "host"){
			$path = $entity.Name + "\" + $path
		}
	}
	return $path
}

$authMgr = Get-View AuthorizationManager

Get-Inventory | Get-Permissions

This new version only calls the Get-Path function for objects on which permissions have been set.

But it still not lightning fast !

We could use a PowerShell profiler tool to tackle these kind of optimisations.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
wingnut76
Contributor
Contributor

Awesome! That works much better!

Thanks!

0 Kudos
esarakaitis
Enthusiast
Enthusiast

this one works too: http://www.vmwarescripting.com/index.php?topic=266.0


Function Get-Path($entity){
	$path = $entity.Name
	while($entity.Parent -ne $null){
		$entity = Get-View -Id $entity.Parent
		if($entity.Name -ne "vm" -and $entity.Name -ne "host"){
			$path = $entity.Name + "\" + $path
		}
	}
	$path
}

$si = Get-View ServiceInstance
$am = Get-View $si.Content.AuthorizationManager

$roleList = $am.RoleList

# Create the role map
$roleMap = @{}
# Add the roles to the map
foreach ($role in $roleList)
{
    $roleMap[http://$role.RoleId|http://$role.RoleId] = $role
}

$permissions = $am.RetrieveAllPermissions()
# Foreach permission
foreach ($permission in $permissions)
{
    $roleName = $roleMap[http://$permission.RoleId|http://$permission.RoleId].Name
    $entityView = Get-View $permission.Entity
    $permission | Select-Object @{Name="Principal"; Expression={$permission.Principal}},
                                @{Name="RoleName"; Expression={$roleName}},
                                @{Name="Object"; Expression={Get-Path $entityView}}
}  


0 Kudos
wingnut76
Contributor
Contributor

Awesome! This one is even faster! Thanks!

0 Kudos
Dave_Mac
Contributor
Contributor

I really must be doing something wrong here, the ISE doesn't appear to like the characters "\" and the few scripts I've played about with that have this error with:

The String starting: ...... is missing the terminator: ".

Should anything be escaped in these scripts?

0 Kudos
LucD
Leadership
Leadership

Are you using the script from esarakaitis ?

If yes, it's the forum SW that is messing with square brackets.

Follow the link in his post and get the script from there.

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos