LucD,

So for the importing, can I use the Get-InventoryPlus function the above script for importing the permissions ?

No, the Get-InventoryPlus function does not support a Name parameter.
Nor does it return an object that can be used with New-VIPermission.

LucD,

then which is the best way to import and export permissions

as I am using below script to export and I would like to import the permissions

#Export Permission
$reportName = ".\Export_Permission.xlsx"
Get-VIPermission | Select @{N='vCenter';E={$_.Uid.Split('@:')[1]}},
Principal,Role,Propagate,
@{n='Entity';E={$_.Entity.Name}},
@{N='Entity Type';E={$_.EntityId.Split('-')[0]}} | Export-excel -Path ".\Export_Permission.xlsx"

You could do something like this.
Note that the switch probably needs other cases, depending on all VI objects that are not returned by Get-Inventory

Import-excel -Path $reportName -WorksheetName Permissions -PipelineVariable row |
Foreach-Object -process {
    $sPerm = @{
        Entity = &{
          switch($row.'Entity Type'){
            'Network' {
              Get-VirtualPortgroup -Name $row.Entity
            }
            'Datastore' {
              Get-Datastore -Name $row.Entity
            }
            Default {
              Get-Inventory -Name $row.Entity
            }
          }
        }
        Role = Get-VIRole -name $row.Role
        Principal = $row.Principal
        Propagate = $row.Propagate
        Confirm = $false
    }
    New-Vipermission  
}

LucD,

When I tried your script, I am getting the same error.

I am also attaching the import excel file for your reference

Get-Inventory : 8/25/2022 3:07:15 AM Get-Inventory Inventory with name 'MyNim-DS01' was not found using the specified filter(s).
At D:\Import_Permissions.ps1:15 char:15
+ Get-Inventory -Name $row.Entity
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-Inventory], VimException
+ FullyQualifiedErrorId : Core_OutputHelper_WriteNotFoundError,VMware.VimAutomation.ViCore.Cmdlets.Commands.GetInventory

Foreach-Object : Cannot bind parameter 'Entity'. Cannot convert the "" value of type "System.Management.Automation.PSCustomObject" to type "VMware.VimAutomation.Sdk.Types.V1.VIObject".
At D:\Date\Import_Export_Roles_Permissions\Permissions\04_Import_Permissions.ps1:4 char:1
+ Foreach-Object -process {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [ForEach-Object], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.ForEachObjectCommand

The switch should have been on 'Entity Type'.
I corrected the code above.

LucD,

It worked for Datastore and folder but for Network, it failed. 

Role Principal Propagate IsGroup
---- --------- --------- -------
VC_User_Role MYDOMAIN\vcgroup True True
VC_User_Role MYDOMAIN\vcgroup True True
Foreach-Object : Cannot process argument transformation on parameter 'Entity'. This parameter no longer accepts an array. As an alternative you may pass multiple values by pipeline (if supported by the
parameter).
At D:\Import_Permissions.ps1:4 char:1
+ Foreach-Object -process {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [ForEach-Object], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Microsoft.PowerShell.Commands.ForEachObjectCommand

But  when I validated for Datastore and folder Permissions, the role shows as null

That seems to indicate you have Portgroups with the same name.
Without Switch information that will be impossible to determine which one is intended

LucD,

We are using portgroups which are part of standard switch. using the below command, I can get the switch name but it shows multiple times from all the hosts, in this case, how can I provide permission for portgroups?

Get-VirtualPortGroup | Select Name, VirtualSwitch

There isn't enough information in the XLSX file to determine which Portgroup is targeted.
You would need to export the ESXi node name and the VirtualSwitch name as well.

Hi LucD,

how can I add the below to the export script. All the ESXi hosts has the same Portgroup Name, Switch Names

Get-VirtualPortGroup -Name "172.27.1.x_3010" | Select Name, VirtualSwitch, @{N="HostName"; E={get-vmhost -id $_.VMHostid}}

$reportName = ".\Export_Permission.xlsx"
Get-VIPermission | Select @{N='vCenter';E={$_.Uid.Split('@:')[1]}},
Principal,Role,Propagate,
@{n='Entity';E={$_.Entity.Name}},
@{N='Entity Type';E={$_.EntityId.Split('-')[0]}} | Export-excel -Path ".\Export_Permission.xlsx"

After some playing around I found out that the vSwitch is not even needed, just the Network MoRef as known on the ESXi node.
But be aware this only works for VSS Portgroups, not VDS portgroups!!

To export

$reportName = ".\Export_Permission.xlsx"

Get-VIPermission |
Select @{N='vCenter';E={$_.Uid.Split('@:')[1]}},
  Principal,Role,Propagate,
  @{n='Entity';E={$_.Entity.Name}},
  @{N='Entity Type';E={$_.EntityId.Split('-')[0]}},
  @{N='VMHost';E={$script:vmhost = Get-View -Id (Get-View -Id $_.Entity.Id).Host
                  $script:vmhost.Name}},
  @{N='Network';E={
    $net = $_.Entity.Id
    $script:vmhost.Network.Where{$_ -eq $net}}} |
Export-excel -Path $reportName -WorksheetName Permissions

And to import

$reportName = ".\Export_Permission.xlsx"

Import-Excel -Path $reportName -WorksheetName Permissions -PipelineVariable row |
ForEach-Object -Process {
  $sPerm = @{
    Entity = & {
      switch ($row.'Entity Type') {
        'Network' {
          $vmhost = Get-View -ViewType HostSystem -Filter @{Name=$row.VMHost}
          $net = $vmhost.Network | Where-Object { $_ -eq $row.Network }
          Get-VIObjectByVIView -MORef $net
        }
        'Datastore' {
          Get-Datastore -Name $row.Entity
        }
        Default {
          Get-Inventory -Name $row.Entity
        }
      }
    }
    Role = Get-VIRole -Name $row.Role
    Principal = $row.Principal
    Propagate = $row.Propagate
    Confirm = $false
  }
  New-VIPermission 
}

LucD,

While exporting the network VMHost and Network shows as System.Object[]

That is caused by having VSS portgroups with the same name on multiple ESXi nodes.

Try the following updated versions.

To export

$reportName = ".\Export_Permission.xlsx"

Get-VIPermission |
Select @{N='vCenter';E={$_.Uid.Split('@:')[1]}},
  Principal,Role,Propagate,
  @{n='Entity';E={$_.Entity.Name}},
  @{N='Entity Type';E={$_.EntityId.Split('-')[0]}},
  @{N='VMHost';E={$script:vmhost = Get-View -Id (Get-View -Id $_.Entity.Id).Host
                  $script:vmhost.Name -join '|'}},
  @{N='Network';E={
    $net = $_.Entity.Id
    $script:vmhost.Network.Where{$_ -eq $net} -join '|'}} |
Export-Excel -Path $reportName -WorksheetName Permissions

To import

$reportName = ".\Export_Permission.xlsx"

Import-Excel -Path $reportName -WorksheetName Permissions -PipelineVariable row |
ForEach-Object -Process {
  $sPerm = @{
    Entity = & {
      switch ($row.'Entity Type') {
        'Network' {
          $row.VMHost -split '\|' | ForEach-Object -Process {
            $vmhost = Get-View -ViewType HostSystem -Filter @{Name=$_}
            $row.Network -split '\|' | Sort-Object -Unique | ForEach-Object -Process {
              $netMoRef = $_
              $net = $vmhost.Network | Where-Object { $_ -eq $netMoRef }
              Get-VIObjectByVIView -MORef $net
            }
          }
        }
        'Datastore' {
          Get-Datastore -Name $row.Entity
        }
        Default {
          Get-Inventory -Name $row.Entity
        }
      }
    }
    Role = Get-VIRole -Name $row.Role
    Principal = $row.Principal
    Propagate = $row.Propagate
    Confirm = $false
  }
  foreach($entity in $sPerm.Entity){
    $sPerm2 = $sPerm.Clone()
    $sPerm2.Entity = $entity
    New-VIPermission @sPerm2
  }
}

LucD,

That worked. In the import script, how can we add the entity name in the output ?

Role Principal Propagate IsGroup
---- --------- --------- -------
VC_User_Role MUDOMAIN\vcgroup True True

VC_User_Role MUDOMAIN\vcgroup True True

VC_User_Role MUDOMAIN\vcgroup True True

VC_User_Role MUDOMAIN\vcgroup True True

Not sure what you mean, the export script adds the Entity name.
What you show seems to be the output from a Get-VIPermission cmdlet

LucD,

I meant, when I execute the import script, after the permission is added, I see a output on the screen.

Example as below. Here I am not sure for which Entity the permission was added, so identify, Is there a way to view Entity Name along with the below output, when the import permission is executed ?

Current Output

Role Principal Propagate IsGroup
---- --------- --------- -------
VC_User_Role MUDOMAIN\vcgroup True True

Desired Output on screen

Entity Role Principal Propagate IsGroup
---- ---- --------- --------- -------
Nim-DS01 VC_User_Role MUDOMAIN\vcgroup True True