VMware Cloud Community
vihar1
Enthusiast
Enthusiast
‎11-28-2013 07:22 AM
Jump to solution

Standard vswitch port group permission management with PowerCLI

Hello All,

I have many port groups on standard and also on distributed switches on ESX 5.0.

I'd like to know if there is a way to manipulate permissions on those port groups with PowerCLI.

Is there a way or can you help me automate this work?

Thank you!

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎11-28-2013 11:11 AM
Jump to solution

The easy ones are the portgroups on dvSwitches.

As an example

$user = Get-VIAccount -Name "domain\lucd"
$role = Get-VIRole -Name NetworkAdmin
$dvPg = Get-VDPortgroup -Name "dvPortgroup"
New-VIPermission -Principal $user -Role $role -Entity $dvPg

The regular portgroups require the use of the API.

For example

$pgName = "VM Network"
$pg = Get-VirtualPortGroup -Name "VM Network" | Select -First 1
$net = Get-View (Get-View $pg.VMHostId).Network | where {$_.Name -eq $pgName}    
$authMgr = Get-View AuthorizationManager
$perm = New-Object VMware.Vim.Permission
$perm.Principal = "domain\lucd"
$perm.RoleId = $role.Id
$perm.Propagate = $true
$perm.Group = $false
$authMgr.SetEntityPermissions($net.moref,$perm)

Since the Get-VirtualPortgroup cmdlet doesn't give you direct access to the corresponding Network object, you will have to find it via the ESXi network property.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
0 Kudos
3 Replies
LucD
Leadership
Leadership
‎11-28-2013 11:11 AM
Jump to solution

The easy ones are the portgroups on dvSwitches.

As an example

$user = Get-VIAccount -Name "domain\lucd"
$role = Get-VIRole -Name NetworkAdmin
$dvPg = Get-VDPortgroup -Name "dvPortgroup"
New-VIPermission -Principal $user -Role $role -Entity $dvPg

The regular portgroups require the use of the API.

For example

$pgName = "VM Network"
$pg = Get-VirtualPortGroup -Name "VM Network" | Select -First 1
$net = Get-View (Get-View $pg.VMHostId).Network | where {$_.Name -eq $pgName}    
$authMgr = Get-View AuthorizationManager
$perm = New-Object VMware.Vim.Permission
$perm.Principal = "domain\lucd"
$perm.RoleId = $role.Id
$perm.Propagate = $true
$perm.Group = $false
$authMgr.SetEntityPermissions($net.moref,$perm)

Since the Get-VirtualPortgroup cmdlet doesn't give you direct access to the corresponding Network object, you will have to find it via the ESXi network property.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
vihar1
Enthusiast
Enthusiast
‎11-29-2013 01:09 AM
Jump to solution

Thank you very much for the excellent answer!

However when I set it up to read port groups from a file and add permissions to a group rather than to a user it gives an error message like this:

Exception calling "SetEntityPermissions" with "2" argument(s): "The user or group named 'DOMAIN\VM-Admins' does not exist."

This group definitely exists as this command gives it back:

PowerCLI C:\Users\Desktop> Get-VIAccount -Group "DOMAIN\vm-admins"

Id                             Domain               Description

--                             ------               -----------

VM-Admins              DOMAIN

I found out trial by error that I need to set $perm.Group = $false to true and now everything is fine. I have to dive deeper into this Smiley Happy

Thank you again for the answer!

Reply
0 Kudos
LucD
Leadership
Leadership
‎11-29-2013 01:11 AM
Jump to solution

Sorry about that, I should have included an example with a group.

But I'm glad you found the solution Smiley Happy


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos