VMware Cloud Community
rfrilling
Enthusiast
Enthusiast
Jump to solution

Updating privileges on existing roles

I'm running the following script to add a few new vSphere 7 privileges to our existing roles. 
 

Set-VIRole -Role "vCenter - VM Deployment" -AddPrivilege (
Get-VIPrivilege -Id @(
"ContentLibrary.CheckInTemplate",
"ContentLibrary.CheckOutTemplate",
"ContentLibrary.AddCertToTrustStore",
"ContentLibrary.DeleteCertFromTrustStore",
"ContentLibrary.ManageClusterRegistryResource",
"ContentLibrary.ManageRegistry",
"ContentLibrary.ManageRegistryProject",
"InventoryService.Tagging.ObjectAttachable",
"VirtualMachine.Interact.SuspendToMemory",
"VirtualMachineClasses.Manage"
)
)

The script executes but only returns a False value and does not update the role. 

Name               IsSystem
----                    --------
vCenter - VM... False

After hours of online searching I thought I'd post here, hopefully for suggestions on what I may be missing. I'd update these values manually but need to update 10+ roles on over 70 vCenters. 

Thanks! 

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

You mentioned earlier that you receive a False on the Set-VIRole cmdlet.
If mean the $false in the output of the cmdlet, that is just an indication that the Role is not a System Role.
In fact those System Roles are predefined and you can't change them.

Did you check the actual privileges after the Set-VIRole cmdlet?

Get-VIRole -Name Test |
Select -ExpandProperty PrivilegeList


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

7 Replies
LucD
Leadership
Leadership
Jump to solution

Are you sure the account you use to run that code has the privilege to modify Roles and their Privileges.
It is the Permissions/Modify Privilege privilege.

When that is not the case, the cmdlet completes with the same output, but nothing will be changed

Update: when I run that code with a user that has the required privilege, the privileges of the role are changed.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

rfrilling
Enthusiast
Enthusiast
Jump to solution

I have double checked the account in use and also tried executing the script with the local administrator account. So, the script worked for you? I thought it should but still no luck for me. I've updated PowerCLI to the latest build. vCenter I'm testing on is vCenter Server 7.0 Update 3g (7.0.3.00800). These same accounts are able to modify the listed privileges manually via the vCenter GUI. 

Thank you for the reply. I'll continue my testing after the Holiday. 

0 Kudos
rfrilling
Enthusiast
Enthusiast
Jump to solution

I've tested again using both my admin account and the vCenter local admin and the code is still unsuccessful. The same results are returned when using either privilege ID or Name. 

PS C:\Scripts\VMware\vCenterRoles> Set-VIRole -Role "vCenter - Level 2 - Backup" -AddPrivilege (
Get-VIPrivilege -Name @(
"Disable or enable alarm on entity"
)
)

Name IsSystem
---- --------
vCenter - Level 2 - Ba... False

 

PS C:\Scripts\VMware\vCenterRoles> Set-VIRole -Role "vCenter - Level 2 - Backup" -AddPrivilege (
Get-VIPrivilege -Id @(
"Alarm.ToggleEnableOnEntity"
)
)

Name IsSystem
---- --------
vCenter - Level 2 - Ba... False

0 Kudos
LucD
Leadership
Leadership
Jump to solution

As an additional test can you create a new Role, with no privileges?
And then run your code against that Role.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

rfrilling
Enthusiast
Enthusiast
Jump to solution

Was worth a try but still seeing the same results. 

PS C:\Scripts\VMware\vCenterRoles> Set-VIRole -Role 'Test' -AddPrivilege (
Get-VIPrivilege -Id @(
'Alarm.ToggleEnableOnEntity'
)
)

Name IsSystem
---- --------
Test False

I've opened a support case. Maybe there is a PowerCLI conflict. I'll post any resolution. 

0 Kudos
LucD
Leadership
Leadership
Jump to solution

You mentioned earlier that you receive a False on the Set-VIRole cmdlet.
If mean the $false in the output of the cmdlet, that is just an indication that the Role is not a System Role.
In fact those System Roles are predefined and you can't change them.

Did you check the actual privileges after the Set-VIRole cmdlet?

Get-VIRole -Name Test |
Select -ExpandProperty PrivilegeList


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

rfrilling
Enthusiast
Enthusiast
Jump to solution

Thanks, you successfully interrupted my ignorance 😁. The False output had me thrown. Turns out the script, as originally written, works correctly. The vCenter v7 GUI does not update the privilege list until you fully logout and back into the vCenter. Refreshing the role, even refreshing the browser does not update the GUI. Thanks for the second pair of eyes! 

0 Kudos