lbornich
Contributor
Contributor

permissions / roles scripting help

Jump to solution

Hi guys,

I just recently discovered the beauty of the VI tookit, and immediately saw a need for it. I need a script to cycle through each VM in a given datacenter, and assign an existing role a permission level on that VM.

Hierarchy is as follows:

Datacenters\<Region>\<Site>\<VM name>

or

Datacenters\<Region>\<Site>\<Folder>\<VM name>

I need the script to analyze the name of the VM, then assign the role VirtualMachineUser to the domain group DOMAIN\<VM name>_Admins

Any help would be greatly appreciated!

thanks!

Tags (3)
0 Kudos
1 Solution

Accepted Solutions
ctrople
Enthusiast
Enthusiast

Looks like this requires using some API level code to access the AuthorizationManager.

http://communities.vmware.com/message/1076484#1076484

I adapted the code sample from the post above and the code below just worked in my lab, but please limit testing to a couple of servers before you set it loose.

#pipe the VMs into Get-View to get the .Net representation of the objects

#you'll need this for the MoRef required by the SetEntityPermission method

#recommend for testing that you limit to a specific set of VMs using Get-VM -Name (list of comma separated names)

$vms = Get-VM | Get-View

#access the authorization manager

$authMgr = Get-View AuthorizationManager

#use a filter against the AuthorizationManager to fine the desired role

$role = $authMgr.RoleList | ? { $_.Name -eq 'VirtualMachineAdministrator' }

foreach ($vm in $vms)

{

#create the permissions

$perm = New-Object VMware.Vim.Permission

$perm.group = $false

$perm.principal = 'DOMAIN\'$vm.Name'_Admins'

$perm.principal

$perm.propagate = $false

$perm.roleId = $role.RoleId

#for each VM view, call the method to update the permissions

$authMgr.SetEntityPermissions($vm.MoRef, $rootperm)

}

Hope this helps!

======================================

Monitor. Correlate. Act. | vWire.com

======================================

Chyna Trople, VCP Monitor. Correlate. Act. | vWire.com

View solution in original post

0 Kudos
3 Replies
ctrople
Enthusiast
Enthusiast

Looks like this requires using some API level code to access the AuthorizationManager.

http://communities.vmware.com/message/1076484#1076484

I adapted the code sample from the post above and the code below just worked in my lab, but please limit testing to a couple of servers before you set it loose.

#pipe the VMs into Get-View to get the .Net representation of the objects

#you'll need this for the MoRef required by the SetEntityPermission method

#recommend for testing that you limit to a specific set of VMs using Get-VM -Name (list of comma separated names)

$vms = Get-VM | Get-View

#access the authorization manager

$authMgr = Get-View AuthorizationManager

#use a filter against the AuthorizationManager to fine the desired role

$role = $authMgr.RoleList | ? { $_.Name -eq 'VirtualMachineAdministrator' }

foreach ($vm in $vms)

{

#create the permissions

$perm = New-Object VMware.Vim.Permission

$perm.group = $false

$perm.principal = 'DOMAIN\'$vm.Name'_Admins'

$perm.principal

$perm.propagate = $false

$perm.roleId = $role.RoleId

#for each VM view, call the method to update the permissions

$authMgr.SetEntityPermissions($vm.MoRef, $rootperm)

}

Hope this helps!

======================================

Monitor. Correlate. Act. | vWire.com

======================================

Chyna Trople, VCP Monitor. Correlate. Act. | vWire.com

View solution in original post

0 Kudos
lbornich
Contributor
Contributor

thanks! That definitely shoved me in the right direction!

0 Kudos
ctrople
Enthusiast
Enthusiast

Great! Glad to help!

======================================

Chyna Trople, VCP

Monitor. Correlate. Act. | vWire.com

======================================

Chyna Trople, VCP Monitor. Correlate. Act. | vWire.com
0 Kudos