VMware Cloud Community
moonbeast
Contributor
Contributor
Jump to solution

Setting Port Group permissions with PowerCLI

Hi,

I am writing a script that creates a resource pool, adds a security group to it's permissions, and then creates 2 Port Groups on each host in the DataCenter, sets their VLANiD's and then adds a security group to the Port Group permissions. I have managed to get as far as creating the Port Groups I just can't seem to get it to add the security group to the Port Group permissions. I have managed to get it to work with the resource pool.

I was wondering if anyone knew how to add an AD security group to port group permissions using PowerClI?

Thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

The New-VIPermission cmdlet doesn't handle the newer entities, like network.

That means you will have to fall back on the SDK method SetEntityPermissions.

$esxName = <hostname>
$pgName = <portgroupname>
$user = <AD account>                  # Ex "TEST\luc"
$role = <rolename>                        # Ex "Admin"
$group = $false
$propagate = $false

$authMgr = Get-View (Get-View ServiceInstance).Content.authorizationManager
$perm = New-Object VMware.Vim.Permission
$perm.Principal = $user
$perm.roleId = ($authMgr.RoleList | where{$_.Name -eq $role}).RoleId
$perm.group = $group
$perm.propagate = $propagate

$esx = Get-VMHost -Name $esxName
$esx.ExtensionData.Network | %{
	$net = Get-View $_
	if($net.Name -eq $pgName){
		$authMgr.SetEntityPermissions($_,$perm)
	}
}

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
0 Kudos
4 Replies
LucD
Leadership
Leadership
Jump to solution

The New-VIPermission cmdlet doesn't handle the newer entities, like network.

That means you will have to fall back on the SDK method SetEntityPermissions.

$esxName = <hostname>
$pgName = <portgroupname>
$user = <AD account>                  # Ex "TEST\luc"
$role = <rolename>                        # Ex "Admin"
$group = $false
$propagate = $false

$authMgr = Get-View (Get-View ServiceInstance).Content.authorizationManager
$perm = New-Object VMware.Vim.Permission
$perm.Principal = $user
$perm.roleId = ($authMgr.RoleList | where{$_.Name -eq $role}).RoleId
$perm.group = $group
$perm.propagate = $propagate

$esx = Get-VMHost -Name $esxName
$esx.ExtensionData.Network | %{
	$net = Get-View $_
	if($net.Name -eq $pgName){
		$authMgr.SetEntityPermissions($_,$perm)
	}
}

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
moonbeast
Contributor
Contributor
Jump to solution

Thanks for the reply LucD,

Please excuse me as I am pretty much a noob when it comes to this.

Can those commands be called from PowerCLI? Ideally I am going to make it into a function and run it in a loop for each esxi host.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Yes, this is regular PowerCLI code.

The script just uses some features, like the Extensiondata property and the Get-View cmdlet, to get at the underlying vSphere objects.

You can easily turn this into a function.

Change the assignments at the beginning of the script into function parameters and the rest of the script can stay as-is.

Let me know if you encounter any problems with turning this into a function.

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
sastre
Enthusiast
Enthusiast
Jump to solution

As usual LucD, you are a genius Smiley Happy

Thank you.

Reply
0 Kudos