I could use the below script to add permissions at DC Object level however the backup service account doesn't work well at that level, it need permissions to be set at the level (that's the vCenter level) above Datacenter object. Can you please advise what are the changes required to this script.
Or Global permissions is the best way to assign such permission?
$svcRef = new-object VMware.Vim.ManagedObjectReference
$svcRef.Type = "ServiceInstance"
$svcRef.Value = "ServiceInstance"
$serviceInstance = get-view $svcRef
$principal = "domain\backupaccount"
$Entity = Get-Datacenter | Get-View
$authmgr = Get-View $serviceInstance.Content.AuthorizationManager
$permission = New-Object VMware.VIM.Permission
$permission.Principal = $principal
$permission.group = $false
$permission.propagate = $true
$permission.RoleId = ($authmgr.RoleList | where {$_.Name -eq "CustomeRole123"}).RoleId
$authmgr.SetEntityPermissions($Entity.MoRef,$permission)
Regards.
Try setting it at the rootfolder.
$principal = "domain\backupaccount"
$authmgr = Get-View $serviceInstance.Content.AuthorizationManager
$permission = New-Object VMware.VIM.Permission
$permission.Principal = $principal
$permission.group = $false
$permission.propagate = $true
$permission.RoleId = ($authmgr.RoleList | where {$_.Name -eq "CustomeRole123"}).RoleId
$authmgr.SetEntityPermissions($serviceInstance.Content.RootFolder,$permission)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Try setting it at the rootfolder.
$principal = "domain\backupaccount"
$authmgr = Get-View $serviceInstance.Content.AuthorizationManager
$permission = New-Object VMware.VIM.Permission
$permission.Principal = $principal
$permission.group = $false
$permission.propagate = $true
$permission.RoleId = ($authmgr.RoleList | where {$_.Name -eq "CustomeRole123"}).RoleId
$authmgr.SetEntityPermissions($serviceInstance.Content.RootFolder,$permission)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
That helps, however I'm getting below error on some of the vCenters:
Exception setting "RoleId": "Cannot convert the "System.Object[]" value of type "System.Object[]" to type "System.Int32"."
When I verify if the role exists with right name, output for below command is showing multiple roles with same name, where as I don't see this duplicate role names when using web client.
(Fyi, I'm connected/authenticated to only one vCenter at a time).
# To Verify if the role name is correct
(Get-VIPermission).Role -match "Corp*"
Please let me know your thoughts.
One way or the other, multiple RoleIds are returned, which makes the method fail since it expects a single value,not an array.
Can you check what this returns?
$authMgr.RoleList | Select Name,RoleId
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Sorry, looks like I was authenticated to more than one vCenter somehow even though I run disconnect command after executing the script per vCenter.
After closing the active sessions and connecting to specific vCenter, script is working fine. No duplicate roles.
Thanks.