It appears that working with vSphere global permissions in PowerCLI is not yet possible. It is also my understanding that there is not currently a public API available in vCenter which allows you to manipulate global permissions either. However, thanks to William Lam’s awesome blog post from 2017, I learned that it is possible to add/remove global permissions via the Managed Object Browser (MOB). What’s more, William provides two example PowerShell functions showing how to trigger the required MOB methods using standard
Invoke-WebRequest calls. This is great, but unfortunately he only covered adding and removing permissions and I really needed to be able to list the current global permissions on a vCenter server for auditing purposes. So, I got to work and created a new PowerShell module named
VIPerms. This module combines the add/remove examples from William’s post with a new function to list all global permissions. In this post I will demonstrate how to install and use this module.
As with most PowerShell modules VIPerms is available to install via the PowerShell Gallery.
Install-Module -Name "VIPerms" -Scope "CurrentUser"
Once installed you can import the module into your session.
Import-Module -Name "VIPerms"
Connecting to a vCenter Server
The first step is to connect to your vCenter server.
Connect-VIMobServer -Server "vcenter.example.com"
This will prompt for credentials. You will need to use the
firstname.lastname@example.org account in order to access and manage the global permissions.
If you use self-signed certificates in your environment you will need to skip certificate checking.
Connect-VIMobServer -Server "vcenter.example.com" -SkipCertificateCheck
Listing Global Permissions
To list all global permissions for your vCenter server use the
Get-VIGlobalPermission Principal PrincipalType Role Propagate --------- ------------- ---- --------- VSPHERE.LOCAL\vpxd-extension-b2df90b0-1e03-11e6-b844-005056bf2aaa User Admin true VSPHERE.LOCAL\vpxd-b2df90b0-1e03-11e6-b844-005056bf2aaa User Admin true VSPHERE.LOCAL\vsphere-webclient-b2df90b0-1e03-11e6-b844-005056bf2aaa User Admin true VSPHERE.LOCAL\Administrators Group Admin true VSPHERE.LOCAL\Administrator User Admin true ...
Creating Global Permissions
New-VIGlobalPermission function will allow you to create a global permission. You must supply a user/group
name and the identifier of the required role to assign.
First use the
Get-VIMobRole function to get the identifier for the specific role.
Get-VIMobRole Name Description Id ---- ----------- -- Admin Admin -1 ReadOnly ReadOnly -2 View View -3 ...
Then use the
New-VIGlobalPermission function to create the permission. For example to assign the
to the vSphere user
VSPHERE.LOCAL\test-user you would use.
New-VIGlobalPermission -Name "VSPHERE.LOCAL\test-user" -RoleId -1
If you are assigning a role to a group you will need to use the
New-VIGlobalPermission -Name "VSPHERE.LOCAL\group-of-users" -IsGroup -RoleId -1
By default the global permission will propagate to all children objects. If you would like to override this
you can use the
New-VIGlobalPermission -Name "VSPHERE.LOCAL\group-of-users" -IsGroup -RoleId -1 -Propagate:$false
NOTE If you are already using the VMware.PowerCLI module you can use the official
Get-VIRoleCmdLet in place of the
Get-VIMobRolefunction included in VIPerms.
Removing Global Permissions
Remove-VIGlobalPermission function will allow you to delete a global permission. You only need to specify the user/group with this function.
Remove-VIGlobalPermission -Name "VSPHERE.LOCAL\test-user"
Again, if you are removing a permission from a group you will need to use the
Remove-VIGlobalPermission -Name "VSPHERE.LOCAL\group-of-users" -IsGroup
This module is something that I have put together pretty quickly as I needed to automate some global permissions tasks. I have tested it against vSphere 6.0, 6.5 and 6.7 lab environements and it seems to work fine with all versions. Hopefully it is useful to some other people out there! If you have any questions or feedback then you can find me on twitter.