VMware Cloud Community
virtualtech_wor
Enthusiast
Enthusiast
‎04-29-2019 10:50 AM
Jump to solution

Set permissions at vCenter top level thats above the Datacenter object level.

I could use the below script to add permissions at DC Object level however the backup service account doesn't work well at that level, it need permissions to be set at the level (that's the vCenter level) above Datacenter object. Can you please advise what are the changes required to this script.

Or Global permissions is the best way to assign such permission?

$svcRef = new-object VMware.Vim.ManagedObjectReference

$svcRef.Type = "ServiceInstance"

$svcRef.Value = "ServiceInstance"

$serviceInstance = get-view $svcRef

$principal = "domain\backupaccount"

$Entity = Get-Datacenter | Get-View

$authmgr = Get-View $serviceInstance.Content.AuthorizationManager

$permission = New-Object VMware.VIM.Permission

$permission.Principal = $principal

$permission.group = $false

$permission.propagate = $true

$permission.RoleId = ($authmgr.RoleList | where {$_.Name -eq "CustomeRole123"}).RoleId

$authmgr.SetEntityPermissions($Entity.MoRef,$permission)

Regards.

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎04-29-2019 04:48 PM
Jump to solution

Try setting it at the rootfolder.

$serviceInstance = Get-View ServiceInstance

$principal = "domain\backupaccount"

$authmgr = Get-View $serviceInstance.Content.AuthorizationManager

$permission = New-Object VMware.VIM.Permission

$permission.Principal = $principal

$permission.group = $false

$permission.propagate = $true

$permission.RoleId = ($authmgr.RoleList | where {$_.Name -eq "CustomeRole123"}).RoleId

$authmgr.SetEntityPermissions($serviceInstance.Content.RootFolder,$permission)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
4 Replies
LucD
Leadership
Leadership
‎04-29-2019 04:48 PM
Jump to solution

Try setting it at the rootfolder.

$serviceInstance = Get-View ServiceInstance

$principal = "domain\backupaccount"

$authmgr = Get-View $serviceInstance.Content.AuthorizationManager

$permission = New-Object VMware.VIM.Permission

$permission.Principal = $principal

$permission.group = $false

$permission.propagate = $true

$permission.RoleId = ($authmgr.RoleList | where {$_.Name -eq "CustomeRole123"}).RoleId

$authmgr.SetEntityPermissions($serviceInstance.Content.RootFolder,$permission)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
virtualtech_wor
Enthusiast
Enthusiast
‎04-30-2019 11:54 AM
Jump to solution

That helps, however I'm getting below error on some of the vCenters:

Exception setting "RoleId": "Cannot convert the "System.Object[]" value of type "System.Object[]" to type "System.Int32"."

When I verify if the role exists with right name, output for below command is showing multiple roles with same name, where as I don't see this duplicate role names when using web client.

(Fyi, I'm connected/authenticated to only one vCenter at a time).

# To Verify if the role name is correct

(Get-VIPermission).Role -match "Corp*"

Please let me know your thoughts.

Reply
0 Kudos
LucD
Leadership
Leadership
‎04-30-2019 12:37 PM
Jump to solution

One way or the other, multiple RoleIds are returned, which makes the method fail since it expects a single value,not an array.
Can you check what this returns?


$authMgr.RoleList | Select Name,RoleId


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
virtualtech_wor
Enthusiast
Enthusiast
‎04-30-2019 12:57 PM
Jump to solution

Sorry, looks like I was authenticated to more than one vCenter somehow even though I run disconnect command after executing the script per vCenter.

After closing the active sessions and connecting to specific vCenter, script is working fine. No duplicate roles.

Thanks.

Reply
0 Kudos