VMware Cloud Community
rogermccarrick
Contributor
Contributor
Jump to solution

Powercli - new-vipermission

Hi

new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity exchange_pool

this is the syntax I would use to give the role SpecialAdmin to special.tech security group in mydomain, to the resource pool, exchange_pool.

It so happens that after years of building the vsphere environment, there are pool names and portgroup names that are the same. Its not impossible that different types of objects could have the same name. So for example if I have a portgroup called exchange_pool and a resource pool called exchange_pool ..

new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity exchange_pool  .... will add the permission to the resource pool and not touch the portgroup.

I don't want to change hundreds of portgroup names. So How can I specify that I mean to target the portgroup, or a folder for that matter, or a VM.

Something like

new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity -type VDPortgroup exchange_pool

new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity -type Resource-Pool exchange_pool

new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity -type Folder exchange_pool.

A shot in the dark.

thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
jasnyder
Hot Shot
Hot Shot
Jump to solution

I think you meant

$exchangePool = Get-ResourcePool resource_pool ... instead of ...  $exchangePool = Get-ResourcePool exchange_pool.

I took "exchange_pool" from your example, assuming the name of the pool was "exchange_pool".

Either way. My problem is the command sees what you feed it as a string rather than a type or object type. And "$variable = Get-whatever" will equate to a string in this case.

If there is a pool and a portgroup with the same name, the command will always act on the pool. Or so it seems from from I have tested.

I'm not able to reproduce the behavior you're seeing.  In my environment I have 2 resource pools named "ESX Agents" and one dvPortGroup named "ESX Agents"

I do

$resourcePool = Get-ResourcePool "ESX Agents"

$pGroup = Get-VDPortGroup "ESX Agents"

Then run one of each with the different entity types:

PowerCLI C:\> New-VIPermission -role Admin -principal "LAB\tuser1" -entity $resourcePool

WARNING: Parameter 'Principal' is obsolete. This parameter no longer accepts multiple values.

WARNING: Parameter 'Entity' is obsolete. This parameter no longer accepts multiple values.

Role                      Principal       Propagate IsGroup

----                      ---------       --------- -------

Admin                     LAB\tuser1      True      False

Admin                     LAB\tuser1      True      False

PowerCLI C:\> $pgroup = Get-VDPortGroup "ESX Agents"

PowerCLI C:\> New-VIPermission -role Admin -principal "LAB\tuser1" -entity $pgroup

WARNING: Parameter 'Principal' is obsolete. This parameter no longer accepts multiple values.

WARNING: Parameter 'Entity' is obsolete. This parameter no longer accepts multiple values.

Role                      Principal       Propagate IsGroup

----                      ---------       --------- -------

Admin                     LAB\tuser1      True      False

I know the first one only affects Resource Pools because I check the dvPortGroup after running the first command and it doesn't add the permission.  I run the second one, refresh on permissions tab of the dvPortGroup again and this time it appears.

View solution in original post

Reply
0 Kudos
4 Replies
jasnyder
Hot Shot
Hot Shot
Jump to solution

In your script, before the new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity exchange_pool line, add this:

$exchangePool = Get-ResourcePool exchange_pool

then change the line to:

new-vipermission -role SpecialAdmin -principal "mydomain\special.tech" -entity $resourcePool

This will go out and get all the resource pools named "exchange_pool" and then on the new-vipermission line, feed all those into the -entity parameter and will cause the permission to be created on the matching objects.  Because we use the Get-ResourcePool cmdlet, you're scoping the objects to only Resource Pools.

Reply
0 Kudos
rogermccarrick
Contributor
Contributor
Jump to solution

Thank you Justin.

I think you meant

$exchangePool = Get-ResourcePool resource_pool ... instead of ...  $exchangePool = Get-ResourcePool exchange_pool.

Either way. My problem is the command sees what you feed it as a string rather than a type or object type. And "$variable = Get-whatever" will equate to a string in this case.

If there is a pool and a portgroup with the same name, the command will always act on the pool. Or so it seems from from I have tested.

Reply
0 Kudos
jasnyder
Hot Shot
Hot Shot
Jump to solution

I think you meant

$exchangePool = Get-ResourcePool resource_pool ... instead of ...  $exchangePool = Get-ResourcePool exchange_pool.

I took "exchange_pool" from your example, assuming the name of the pool was "exchange_pool".

Either way. My problem is the command sees what you feed it as a string rather than a type or object type. And "$variable = Get-whatever" will equate to a string in this case.

If there is a pool and a portgroup with the same name, the command will always act on the pool. Or so it seems from from I have tested.

I'm not able to reproduce the behavior you're seeing.  In my environment I have 2 resource pools named "ESX Agents" and one dvPortGroup named "ESX Agents"

I do

$resourcePool = Get-ResourcePool "ESX Agents"

$pGroup = Get-VDPortGroup "ESX Agents"

Then run one of each with the different entity types:

PowerCLI C:\> New-VIPermission -role Admin -principal "LAB\tuser1" -entity $resourcePool

WARNING: Parameter 'Principal' is obsolete. This parameter no longer accepts multiple values.

WARNING: Parameter 'Entity' is obsolete. This parameter no longer accepts multiple values.

Role                      Principal       Propagate IsGroup

----                      ---------       --------- -------

Admin                     LAB\tuser1      True      False

Admin                     LAB\tuser1      True      False

PowerCLI C:\> $pgroup = Get-VDPortGroup "ESX Agents"

PowerCLI C:\> New-VIPermission -role Admin -principal "LAB\tuser1" -entity $pgroup

WARNING: Parameter 'Principal' is obsolete. This parameter no longer accepts multiple values.

WARNING: Parameter 'Entity' is obsolete. This parameter no longer accepts multiple values.

Role                      Principal       Propagate IsGroup

----                      ---------       --------- -------

Admin                     LAB\tuser1      True      False

I know the first one only affects Resource Pools because I check the dvPortGroup after running the first command and it doesn't add the permission.  I run the second one, refresh on permissions tab of the dvPortGroup again and this time it appears.

Reply
0 Kudos
rogermccarrick
Contributor
Contributor
Jump to solution

Thanks very much for this.

I was trying trying this before.

I did $pg=Get-VDPortgroup "exchange_pools"

But then I did  ..... --entity $pg.Name.

So just using $pg instead of $pg.Name works.

thanks again.

Reply
0 Kudos