VMware Cloud Community
giacomo0815
Contributor
Contributor
‎04-18-2008 04:41 AM

how to read/write permissions

Hi,

how can i read and write the permissions of the VMs and the ESX Servers?

Any ideas ?

0 Kudos
7 Replies
LucD
Leadership
Leadership
‎04-18-2008 05:36 AM

As far as I know not with the current cmdlets.

The only method I currently know about is by using the SDK (again).

This sample script show how to read and set permissions on a VM guest, called entry is the name of an Active Directory security group (format: domainname\groupname)

$VCimpl = Get-VIServer -Server <VC Server>

# Force load
[http://Reflection.Assembly|http://Reflection.Assembly]::LoadWithPartialName("vmware.vim")

$svcRef = new-object VMware.Vim.ManagedObjectReference 
$svcRef.Type = "ServiceInstance" 
$svcRef.Value = "ServiceInstance" 
$serviceInstance = get-view $svcRef

$authMgr = get-view $serviceInstance.Content.authorizationManager

$entity = Get-View (Get-VM -Name <VM Name>).ID
$inherited = $TRUE

# Read and list all permissions

$permissions = $authMgr.RetrieveEntityPermissions($entity.MoRef, $inherited)
foreach($perm in $permissions){
  $perm.Principal, $perm.Group, $perm.Propagate
}

# Set new permission on guest

$newperm = @()
$newperm += New-Object VMware.Vim.Permission
$newperm[0].group = $TRUE
$newperm[0].principal = "<security group>"
$newperm[0].propagate = $TRUE
$newperm[0].roleId = -1

$authMgr.SetEntityPermissions($entity.MoRef, $newperm)

For an overview of the creation and management of permissions with the SDK see chapter 13 in the SDK Programming Guide.

For details about the objects used in the script see the SDK API Reference

I have attached the script to avoid confusion due to the formatting of the forum SW.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Permissions.ps1
0 Kudos
kjb007
Immortal
Immortal
‎04-18-2008 05:43 AM

I was able to get the permission set, but the problem is that only explicit permissions actually show up in that set since the permissions are usually propagated. So, if you do not see anything, you'll have to pull it's parent, and run permissions against it, until you get to where the permissions were actually set.

get-vm | % {(get-view $_.ID).permission}

If that gets you nothing, then you'll have to pull that object's parent:

get-vm |{(get-view $_.ID).parent}

Type Value

-

-

Folder group-d1

If the parent is a folder, or a datacenter, use the below, and work your way up:

get-folder -id folder-group-d1 |{(get-view $_.ID).permission}

PS C:\&gt; get-folder -id folder-group-d1 | % {(get-view $_.ID).permission}

Entity : VMware.Vim.ManagedObjectReference

Principal : user1

Group : False

RoleId : 101

Propagate : False

DynamicType :

DynamicProperty :

Entity : VMware.Vim.ManagedObjectReference

Principal : Administrators

Group : True

RoleId : -1

Propagate : True

DynamicType :

DynamicProperty :

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
hank-ger
Enthusiast
Enthusiast
‎04-24-2008 04:17 AM

hi, it works.

can you tell me what the "RoleID" means. are these the different "Roles" in VC. i mean "Virtual Machine User" or "Resource Pool Administrator" e.g. .

and do you know how to set new permissions?

thanks

0 Kudos
kjb007
Immortal
Immortal
‎04-24-2008 06:43 AM

Yes, RoleID is a numerical value assigned to the different roles assigned in virtual center.

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
hank-ger
Enthusiast
Enthusiast
‎04-24-2008 06:53 AM

thanks

i try -&gt; PS C:\ get-vm machine | %{(get-view &_ID).permission &gt; permission.txt &lt;- but i miss the vm name in my text file. can you tell me how i get the vm-name in these file maybe a ne pipe or?

thx

0 Kudos
kjb007
Immortal
Immortal
‎04-24-2008 07:36 AM

get-vm machine | %{get-view $_.ID |select name,Permission &gt; permission.txt}

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
hank-ger
Enthusiast
Enthusiast
‎04-24-2008 11:45 PM

oh, thats fine THANKS :smileygrin:

0 Kudos