Automation

 View Only

  • 1.  Trying to assign user Admin permissions on Root Folder

    Posted Dec 24, 2009 08:22 PM

    I am trying to add a domain user directly to the folder permissions for the root folder in vCenter with Admin permissions. I can get it to assign permissions for folders below the root but not at the top of the tree. See code below.

    #Create a VIAccount object suitable for use with New-VIPermission, Get-VIPermission, etc. from PowerCLI.

    function New-VIAccount($principal) {

    $flags = `

    http://System.Reflection.BindingFlags::NonPublic -bor

    http://System.Reflection.BindingFlags::Public -bor

    http://System.Reflection.BindingFlags::DeclaredOnly -bor

    http://System.Reflection.BindingFlags::Instance

    $method = $defaultviserver.GetType().GetMethods($flags) |

    where { $_.Name -eq "VMware.VimAutomation.Types.VIObjectCore.get_Client" }

    $client = $method.Invoke($global:DefaultVIServer, $null)

    Write-Output `

    (New-Object VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl `

    -ArgumentList $principal, "", $client)

    }

    $svcaccount = $domain + "\" + $username

    $account = New-VIAccount "$svcaccount"

    #(Get-Folder -Name folder) | New-VIPermission -Role Admin -Principal $account -Propagate:$TRUE ### This adds the user to a folder named folder with no issues.

    (Get-Folder -Name Datacenters -Id Folder-group-d1) | New-VIPermission -Role Admin -Principal $account -Propagate:$TRUE ### When I try to apply to the root folder I get the following error:

    New-VIPermission : 12/24/2009 2:19:30 PM New-VIPermission 9C9AB6A7-E395-42D1-B944-516E1BBBCEF2 Object reference not set to an instance of an object.

    At ...vCenterSettings.ps1:93 char:70+ (Get-Folder -Name Datacenters -Id Folder-group-d1) | New-VIPermission <<<< -Role Admin -Principal $account -Propagate:$TRUE



  • 2.  RE: Trying to assign user Admin permissions on Root Folder
    Best Answer

    Posted Dec 24, 2009 10:59 PM

    I could reproduce the problem, so that seems to be indeed another bug for the New-VIPermission cmdlet in PowerCLI 4u1.

    As a bypass, you can call the SetEntityPermissions method directly like this

    $domain = <your-domainname>
$username = <your-accountname>
$svcaccount = $domain + "\" + $username

$folder = Get-Folder -Name "Datacenters"
$authMgr = Get-View AuthorizationManager
$perm = New-Object VMware.Vim.Permission
$perm.principal = $svcaccount
$perm.propagate = $true
$perm.roleid = ($authMgr.RoleList | where{$_.Name -eq "Admin"}).RoleId
$authMgr.SetEntityPermissions(($folder | Get-View).MoRef, $perm)



  • 3.  RE: Trying to assign user Admin permissions on Root Folder

    Posted Jun 09, 2010 09:21 AM

    Luc,

    Your script works oke, except when i try to add groups instead of users, it fails.

    Any idea why?



  • 4.  RE: Trying to assign user Admin permissions on Root Folder

    Posted Jun 09, 2010 09:38 AM

    Found it.

    $perm.group = $true



  • 5.  RE: Trying to assign user Admin permissions on Root Folder

    Broadcom Employee
    Posted Jul 26, 2010 02:55 PM

    Hi Rob,

    The problem is fixed in the VMware vSphere PowerCLI 4.1 build 264274 - the 4.1 release

    All you need is: your VC to be member of the domain of the user you want to assign as principal. You can just execute the following line of code in order to create a permission for the root: 

     New-VIPermission -Role Admin -Principal 'domain\youruser' -Entity (Get-Folder -Name 'Datacenters')

    Thanks,

    Gospodin!