Hello All,
I have many port groups on standard and also on distributed switches on ESX 5.0.
I'd like to know if there is a way to manipulate permissions on those port groups with PowerCLI.
Is there a way or can you help me automate this work?
Thank you!
The easy ones are the portgroups on dvSwitches.
As an example
$user = Get-VIAccount -Name "domain\lucd"
$role = Get-VIRole -Name NetworkAdmin
$dvPg = Get-VDPortgroup -Name "dvPortgroup"
New-VIPermission -Principal $user -Role $role -Entity $dvPg
The regular portgroups require the use of the API.
For example
$pgName = "VM Network"
$pg = Get-VirtualPortGroup -Name "VM Network" | Select -First 1
$net = Get-View (Get-View $pg.VMHostId).Network | where {$_.Name -eq $pgName}
$authMgr = Get-View AuthorizationManager
$perm = New-Object VMware.Vim.Permission
$perm.Principal = "domain\lucd"
$perm.RoleId = $role.Id
$perm.Propagate = $true
$perm.Group = $false
$authMgr.SetEntityPermissions($net.moref,$perm)
Since the Get-VirtualPortgroup cmdlet doesn't give you direct access to the corresponding Network object, you will have to find it via the ESXi network property.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
The easy ones are the portgroups on dvSwitches.
As an example
$user = Get-VIAccount -Name "domain\lucd"
$role = Get-VIRole -Name NetworkAdmin
$dvPg = Get-VDPortgroup -Name "dvPortgroup"
New-VIPermission -Principal $user -Role $role -Entity $dvPg
The regular portgroups require the use of the API.
For example
$pgName = "VM Network"
$pg = Get-VirtualPortGroup -Name "VM Network" | Select -First 1
$net = Get-View (Get-View $pg.VMHostId).Network | where {$_.Name -eq $pgName}
$authMgr = Get-View AuthorizationManager
$perm = New-Object VMware.Vim.Permission
$perm.Principal = "domain\lucd"
$perm.RoleId = $role.Id
$perm.Propagate = $true
$perm.Group = $false
$authMgr.SetEntityPermissions($net.moref,$perm)
Since the Get-VirtualPortgroup cmdlet doesn't give you direct access to the corresponding Network object, you will have to find it via the ESXi network property.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thank you very much for the excellent answer!
However when I set it up to read port groups from a file and add permissions to a group rather than to a user it gives an error message like this:
Exception calling "SetEntityPermissions" with "2" argument(s): "The user or group named 'DOMAIN\VM-Admins' does not exist."
This group definitely exists as this command gives it back:
PowerCLI C:\Users\Desktop> Get-VIAccount -Group "DOMAIN\vm-admins"
Id Domain Description
-- ------ -----------
VM-Admins DOMAIN
I found out trial by error that I need to set $perm.Group = $false to true and now everything is fine. I have to dive deeper into this
Thank you again for the answer!
Sorry about that, I should have included an example with a group.
But I'm glad you found the solution
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference