Hi,
how can i read and write the permissions of the VMs and the ESX Servers?
Any ideas ?
As far as I know not with the current cmdlets.
The only method I currently know about is by using the SDK (again).
This sample script show how to read and set permissions on a VM guest, called entry is the name of an Active Directory security group (format: domainname\groupname)
$VCimpl = Get-VIServer -Server <VC Server> # Force load [http://Reflection.Assembly|http://Reflection.Assembly]::LoadWithPartialName("vmware.vim") $svcRef = new-object VMware.Vim.ManagedObjectReference $svcRef.Type = "ServiceInstance" $svcRef.Value = "ServiceInstance" $serviceInstance = get-view $svcRef $authMgr = get-view $serviceInstance.Content.authorizationManager $entity = Get-View (Get-VM -Name <VM Name>).ID $inherited = $TRUE # Read and list all permissions $permissions = $authMgr.RetrieveEntityPermissions($entity.MoRef, $inherited) foreach($perm in $permissions){ $perm.Principal, $perm.Group, $perm.Propagate } # Set new permission on guest $newperm = @() $newperm += New-Object VMware.Vim.Permission $newperm[0].group = $TRUE $newperm[0].principal = "<security group>" $newperm[0].propagate = $TRUE $newperm[0].roleId = -1 $authMgr.SetEntityPermissions($entity.MoRef, $newperm)
For an overview of the creation and management of permissions with the SDK see chapter 13 in the SDK Programming Guide.
For details about the objects used in the script see the SDK API Reference
I have attached the script to avoid confusion due to the formatting of the forum SW.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I was able to get the permission set, but the problem is that only explicit permissions actually show up in that set since the permissions are usually propagated. So, if you do not see anything, you'll have to pull it's parent, and run permissions against it, until you get to where the permissions were actually set.
get-vm | % {(get-view $_.ID).permission}
If that gets you nothing, then you'll have to pull that object's parent:
get-vm |{(get-view $_.ID).parent}
Type Value
-
-
Folder group-d1
If the parent is a folder, or a datacenter, use the below, and work your way up:
get-folder -id folder-group-d1 |{(get-view $_.ID).permission}
PS C:\> get-folder -id folder-group-d1 | % {(get-view $_.ID).permission}
Entity : VMware.Vim.ManagedObjectReference
Principal : user1
Group : False
RoleId : 101
Propagate : False
DynamicType :
DynamicProperty :
Entity : VMware.Vim.ManagedObjectReference
Principal : Administrators
Group : True
RoleId : -1
Propagate : True
DynamicType :
DynamicProperty :
hi, it works.
can you tell me what the "RoleID" means. are these the different "Roles" in VC. i mean "Virtual Machine User" or "Resource Pool Administrator" e.g. .
and do you know how to set new permissions?
thanks
Yes, RoleID is a numerical value assigned to the different roles assigned in virtual center.
thanks
i try -> PS C:\ get-vm machine | %{(get-view &_ID).permission > permission.txt <- but i miss the vm name in my text file. can you tell me how i get the vm-name in these file maybe a ne pipe or?
thx
get-vm machine | %{get-view $_.ID |select name,Permission > permission.txt}
oh, thats fine THANKS :smileygrin: