VMware Cloud Community
IM-coded
Contributor
Contributor

vCenter Roles and Permissions Export and Import (2021)

Hello LucD,

I'm new to this and I'm stuck with vCenter Importing roles and permissions there is an error.. I will share the codes whatever I have it with me - need some help on this. We have created two output types - csv for human readable and XML for importing on vCenter. Kindly help on importing script part. I did try your import script but there is some error (posted in the end of the this thread).

This is the exporting of role and permission script:

#vCenter Role & Permission export#

Write-Host "`tExporting Permissions and Roles for vCenter.."


$vCenterHost = Read-Host "Enter vCenter Name:"

try {

#Establishing connection to vCenter
Connect-VIServer -Server $vCenterHost

#Permissions
$Permission = Get-VIPermission | Select-Object @{N='vCenter';E={$_.Uid.Split('@:')[1]}},
Principal,Role,propagate,
@{n='Entity';E={$_.Entity.Name}},
@{N='Entity Type';E={$_.EntityId.Split('-')[0]}}

#Export to CSV
$Permission | Export-Csv -Path "C:\Temp\$vCenterHost-Permission.csv"

#Export to XML
$PermissionXML = Get-VIPermission
$PermissionXML | Export-Clixml -Path "C:\Temp\$vCenterHost-Permission.xml"


#Roles
$Role = Get-VIRole | Select-Object @{N='vCenter';E={$_.Uid.Split('@:')[1]}},
Name,
@{N='PrivilegeList';E={[string]::Join([char]10,$_.PrivilegeList)}}


#Export to CSV
$Role | Export-Csv -Path "C:\Temp\$vCenterHost-Roles.csv"

#Export to XML
$RoleXML = Get-VIRole
$RoleXML | Export-Clixml -Path "C:\Temp\$vCenterHost-Roles.xml"

Write-Verbose "`tRole & Permission Data Exported Successfully from $vCenterHost" -Verbose

Write-Verbose "Disconnecting from $vCenterHost" -Verbose
Disconnect-VIServer -Server

}

catch {

Write-Verbose "`tError Encountered! Error:$_" -Verbose
$ErrorObject = New-Object -TypeName PSObject -Property @{
vCenterName = $vCenterHost
Error = $_

}

}

 

Import script error output:

New-VIPermission : Cannot process argument transformation on parameter 'Principal'. This parameter no longer accepts
an array. As an alternative you may pass multiple values by pipeline (if supported by the parameter).
At D:\Script\Import of role and permission of vcenter (1).ps1:12 char:18
+ New-Vipermission $Permission
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [New-VIPermission], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Permis
sionManagement.NewVIPermission

 

Import Script which I'm referring to:

Import-excel -Path $reportName -WorksheetName Permissions -PipelineVariable row |
Foreach-Object -process {
$Permission = @{
Entity = Get-Inventory -Name $row.Entity
Role = Get-VIRole -name $row.Role
#Principal = $row.Principal
Propagate = $row.Propagate
Confirm = $false }

New-VIPermission $Permission
}

Reply
0 Kudos
11 Replies
LucD
Leadership
Leadership

I'm not sure why you are importing from an XLSX file, while you exported to a CSV.

When I just tested, the following seems to work for me

$reportName = 'C:\Temp\<Your-CVSA-name>-Permission.csv'

Import-Csv -Path $reportName -PipelineVariable row |
ForEach-Object -Process {
  $Permission = @{
    Entity = Get-Inventory -Name $row.Entity
    Role = Get-VIRole -Name $row.Role
    Principal = $row.Principal
    Propagate = [Boolean]$row.Propagate
    Confirm = $false
    WhatIf = $true
  }

  New-VIPermission @Permission
}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
IM-coded
Contributor
Contributor

Hello LucD,

Thank you for the response, just to confirm will this script also import role as well? or just permission only?

Looking forward to hear from you.

Thanks.

Reply
0 Kudos
LucD
Leadership
Leadership

The permissions only.
To import the roles is similar, just the other CSV


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
IM-coded
Contributor
Contributor

Should the import script for the vCenter 'Role' be something like this? please let me know. Thank you.

$reportName = 'C:\Temp\<Your-CVSA-name>-Role.csv'

Import-Csv -Path $reportName -PipelineVariable row |
ForEach-Object -Process {
$Role = @{
Name = $row.Name
Privilage = $row.PrivilegeList
Server = $row.vCenter
Confirm = $false
WhatIf = $true
}

New-VIRole @role
}

Reply
0 Kudos
LucD
Leadership
Leadership

You have to get the actual privileges with the Get-VIPrivilege cmdet.
Something like this

$reportName = 'C:\Temp\<Your-VCSA-name>-Roles.csv'

Import-Csv -Path $reportName -PipelineVariable row |
ForEach-Object -Process {
  $Role = @{
    Name = $row.Name
    Privilege = $row.PrivilegeList.Split("`n") | ForEach-Object { Get-VIPrivilege -Id $_ }
    Server = $row.vCenter
    Confirm = $false
    WhatIf = $true
  }

  New-VIRole @role
}

Once you are sure the script works, remove the WhatIf line (same for the previous script).


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

IM-coded
Contributor
Contributor

Thank you LucD :slightly_smiling_face:

What would be the order to run the import script?
Should be the Roles first and Permissions second? or There is no such order in running the script by putting both import of role and permission script into one script? Please advice..

Appreciate your help on this one :slightly_smiling_face:

Thank you again.

Reply
0 Kudos
LucD
Leadership
Leadership

If you use custom Roles in the permissions, you should import the Roles first


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

asharma25
Contributor
Contributor

Hi LucD,

Can we export/import role and permission from one vCenter to another? if both are connected to same identity source (AD).

Reply
0 Kudos
LucD
Leadership
Leadership

For the Roles the Identity Source doesn't play a part.
So yes, you can easily export-import those.
Of course only the custom roles, not the system roles.

For the permissions have a look at Solved: Re: need help with scripting export of datacenter ... - VMware Technology Network VMTN


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Pilu1978
Enthusiast
Enthusiast

Hi LucD,

I am getting the following error when running the below code against a newly deployed vCenter (vSphere 7). I have multiple Datacenter objects in the VC. Please advise.

$reportName = 'C:\Temp\<Your-CVSA-name>-Permission.csv'

Import-Csv -Path $reportName -PipelineVariable row |
ForEach-Object -Process {
  $Permission = @{
    Entity = Get-Inventory -Name $row.Entity
    Role = Get-VIRole -Name $row.Role
    Principal = $row.Principal
    Propagate = [Boolean]$row.Propagate
    Confirm = $false
    WhatIf = $true
  }

  New-VIPermission @Permission
}

New-VIPermission : Cannot process argument transformation on parameter 'Entity'. This parameter no longer accepts an
array. As an alternative you may pass multiple values by pipeline (if supported by the parameter).
At E:\cn\test-perm.ps1:14 char:20
+   New-VIPermission @Permission
+                    ~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [New-VIPermission], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Permis
   sionManagement.NewVIPermission

 

Reply
0 Kudos
LucD
Leadership
Leadership

That seems to indicate that

Get-Inventory -Name $row.Entity

returns more than 1 object for entries in your CSV


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos