VMware Cloud Community
shaggy_041086
Enthusiast
Enthusiast
Jump to solution

Set-VIPermissions -Entity question

We have few permissions defined in Datacenter level, few in Folder level in (Hosts & Cluster view) and few in VM level in (VM and Templates view).

Our hosts and cluster view is very different then VMs and Templates view, because of complex categorization

Now, few groups are having access to certain Folders (containing DRS clusters), and as they all are Propagated, they can access all Hosts and VMs in that Folder. But, they can't see the VMs in VMs and Templates view, but only in Hosts and Cluster view.

I guess it is because the Permissions were defined on the folder that exists only in Hosts and Cluster view.

As you see in the attached files, the permissions defined for VM in "source.png" in VM and Templates view, is what I want to achieve! That is, the permissions define in VM level.

But I have got few VMs as you can see in "Target-1.png" and "Target-2.png" in which, you see its defined in "XenApp" and "Citrix" Folders, that exist in Hosts and Cluster view.

You can easily delete the permission, and create one at VM and Templates view and fix this problem, but I have 1500+ VMs that are having this issue, hence I created a script in PowerCLI -

$a = @()

$b = @()

$Group1 = "CTX_XAFarm_Admin","Domain\CTX_Hypervisor_Admin","Domain\CTX_XAServerBuilder_Admin"

$Role1 = "Domain User","Domain PowerUser","Domain PowerUser"

$Permission1 = ($Group1),($Role1)

$VM1 = Get-Folder Citrix -Type HostAndCluster | Get-VM BCCTXMS6008A

$VM1 | %{

    $VM = $_

    $n = 0

    $i++

    Write-Progress -Activity "Checking $($VM.name).." -Status "Group1 Progress-->" -PercentComplete (($i/$VM1.count)*100)

    $Group1 | %{

        $Perm = Get-VIPermission -Entity $VM -Principal $Permission1[0][$n]

        if ($perm)

        {

            $row = "" | Select VM, Role, Principal

            $row.VM = $VM.name

            $row.Principal = $Permission1[0][$n]

            $row.Role = $Permission1[1][$n]

            $a += $row

        }

        else

        {

            $row = "" | Select VM, Role, Principal

            $row.VM = $VM.name

            $row.Principal = $Permission1[0][$n]

            $row.Role = $Permission1[1][$n]

            $b += $row

        }

        $n++

    }

}

$Group2 = "Domain\CTX_XAImage_Admin","Domain\CTX_XAAppInstaller_Admin","Domain\CTX_XASupport_Admin"

$VM2 = Get-Folder XenApp -Type HostAndCluster | Get-VM

$VM2 | %{

    $VM = $_

    $j++

    Write-Progress -Activity "Checking $($VM.name).." -Status "Group2 Progress-->" -PercentComplete (($j/$VM2.count)*100)

    $Group2 | %{

        $Perm = Get-VIPermission -Entity $VM -Principal $_

        if ($perm)

        {

            $row = "" | Select VM, Role, Principal

            $row.VM = $VM.name

            $row.Principal = $_

            $row.Role = "Domain User"

            $a += $row

        }

        else

        {

            $row = "" | Select VM, Role, Principal

            $row.VM = $VM.name

            $row.Principal = $_

            $row.Role = "Domain User"

            $b += $row

        }

    }

}

And then, I thought I would use $b | Export-Csv and would create permissions for all VMs in that list.

But, it seem Get-VIPermission, doesn't care where the permission is defined in, even if you choose -Entity as (Get-VM)

Is there any way, I can use Get-ViPermissions on the VMs so that, it also takes "Defined In" column in screenshots into consideration?

Any help is greatly appreciated!

Thanks.

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

You see on which entity the permission was defined.

Then check if that entity corresponds with the VM you are investigating.

Something like this

$vm = Get-VM -Name VM
Get-VIPermission -Entity $vm | where {$_.EntityId -eq $vm.Id}
   


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
0 Kudos
1 Reply
LucD
Leadership
Leadership
Jump to solution

You see on which entity the permission was defined.

Then check if that entity corresponds with the VM you are investigating.

Something like this

$vm = Get-VM -Name VM
Get-VIPermission -Entity $vm | where {$_.EntityId -eq $vm.Id}
   


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos