Here is question that the solution might be quite helpful. Is there a way to create a list of all of the roles and the objects that they are actually assigned to in powershell? I have ran the perl script in the Managing VMware VirtualCenter Roles and Permissions but this script outputs every object and the User/Group and Role associated with it. For my environment it took about 20 min to run and exported about 12,000 objects. What I would like to see is just the Roles that are assigned and the object that it is assigned to and not the child objects. I do not need every object, just the objects that a role is actually assigned to. 12,000 objects is a lot of objects to check for when trying to find discreptancies. For instance, If I have a Role assigned to the Datacenters folder, I would like to see:
#RoleName # #Object Assigned to# #User or Group permission Given to#
Thank all in advance for help.
There are several ways to list the inventory of the VI environment.
You can list the 2 branches ("Host and Clusters" and "Virtual Machines and Templates"), similar to what the VI client shows.
See for example
Or you can use the list returned by the Get-Inventory cmdlet.
The sample script below uses the Get-Inventory cmdlet.
It filters out the hidden folders called "vm" and "host" since you normally can't define permissions for these.
filter Get-Permissions{ $report = @() $object = Get-View -Id $_.ID if($object.Name -ne "vm" -and $object.Name -ne "host"){ $path = get-path $object $perms = $authMgr.RetrieveEntityPermissions($object.MoRef, $false) if($perms.Count -gt 0){ foreach($perm in $perms){ foreach($role in $authMgr.RoleList){ if($role.RoleId -eq $perm.RoleId){ $row = "" | select roleName, objName, principalName $row.roleName = $role.Name $row.objName = $path $row.principalName = $perm.Principal $report += $row } } } } } $report } function get-path($entity){ $path = $entity.Name while($entity.Parent -ne $null){ $entity = Get-View -Id $entity.Parent if($entity.Name -ne "vm" -and $entity.Name -ne "host"){ $path = $entity.Name + "\" + $path } } return $path } $authMgr = Get-View AuthorizationManager Get-Inventory | Get-Permissions
Note1: the order of the returned objects is the order returned by the Get-Inventory cmdlet.
This can be changed by piping the result to the Sort-Object cmdlet.
Get-Inventory | Get-Permissions | Sort-Object -property objName
Note2: the script does not return inherited permissions.
This can easily be changed by changing the 2nd parameter in the RetrieveEntityPermissions method to $true
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
There are several ways to list the inventory of the VI environment.
You can list the 2 branches ("Host and Clusters" and "Virtual Machines and Templates"), similar to what the VI client shows.
See for example
Or you can use the list returned by the Get-Inventory cmdlet.
The sample script below uses the Get-Inventory cmdlet.
It filters out the hidden folders called "vm" and "host" since you normally can't define permissions for these.
filter Get-Permissions{ $report = @() $object = Get-View -Id $_.ID if($object.Name -ne "vm" -and $object.Name -ne "host"){ $path = get-path $object $perms = $authMgr.RetrieveEntityPermissions($object.MoRef, $false) if($perms.Count -gt 0){ foreach($perm in $perms){ foreach($role in $authMgr.RoleList){ if($role.RoleId -eq $perm.RoleId){ $row = "" | select roleName, objName, principalName $row.roleName = $role.Name $row.objName = $path $row.principalName = $perm.Principal $report += $row } } } } } $report } function get-path($entity){ $path = $entity.Name while($entity.Parent -ne $null){ $entity = Get-View -Id $entity.Parent if($entity.Name -ne "vm" -and $entity.Name -ne "host"){ $path = $entity.Name + "\" + $path } } return $path } $authMgr = Get-View AuthorizationManager Get-Inventory | Get-Permissions
Note1: the order of the returned objects is the order returned by the Get-Inventory cmdlet.
This can be changed by piping the result to the Sort-Object cmdlet.
Get-Inventory | Get-Permissions | Sort-Object -property objName
Note2: the script does not return inherited permissions.
This can easily be changed by changing the 2nd parameter in the RetrieveEntityPermissions method to $true
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Exactly what I was looking for. Once again LucD this is very much appreciated.
Hello.
Thank you for your script to review Virtual center user and permissions.
I am using it in ESX 3.0 and it works perfectly. But with ESX 3.5 it doesn't work, and the following errors appears:
"Referencia a objeto no establecida como instancia de un objeto."
translated my be like this
"Reference to an object not stablished as an object instance"
in the line: Get-Inventory | Get-Permissions
Could you help me?
If you need any other information do not hesitate in contacting me.
Thank you in advance,
kind regards, joni.
I am new to this and had to figure out a couple of things through trial and error. These things may be obvious to the pro-powershell guru, but were not to me
You can not run this script from the powershell command line.
When I ran:
D:\Scripts> POWERSHELL MyScript.ps1
I got a plethora of errors.
However, if I ran the script from the VI Toolkit command line, it ran (with an extra line added in).
I added the "Connect-VIServer -server YourServerNameHere" line to the beginning of the script.
Once launched (see below) it prompted me for credentials and then ran just fine.
To run the script:
Launch the "VMware VI ToolKit" from the Start/Programs/VMware menu (You do have this toolkit installed, right?)
At the VI ToolKit command prompt, CD to the directory where your .PS1 script resides
Then just key in your script name
VI ToolKit> MyScript.ps1
You are prompted for credentials to the VC server you specified in the script, and the script returns the values.
HTH
Alan
How can I go about getting this into excel? I exported it as an XML file but when importing it into excel it says the source does not refer to a scheme and then its all unorganized after import...
Cheers,
Bradley Sessions
If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".
This thread is rather old and the PowerCLI team has added in PowerCLI 4u1 some new cmdlets (Get-ViPermission, Get-VIPrivilege and Get-VIRole) that do more or less the same this script is doing.
If you still want to use the script I would advise to export the data to a CSV file.
You can change the last line like this
Get-Inventory | Get-Permissions | Export-Csv "C:\Permissions.csv" -NoTypeInformation -UseCulture
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference