PowerCLI: Managing roles, permissions and privileges in vCenters

12 Mar

The following scripts allows you to add new roles, new permissions and add/remove privileges from existing roles in your vcenters. This is useful if you need to modify the role bases access control (RBAC) of a list of your vCenters. For new permission, I have defaulted to add them at the root folder AKA VC level and set to propagate, since this is the most common requirement. You can modify it for more flexibility as required.

The format of the XML file looks like this.  Do remember that many privileges are related, so setting just one may not be enough, you must test it out first before rollout. For example, to provide privilege for a role to delte alarm you need two privileges, “Remove alarm” & “Set alarm status”. Also notice that privilege ID is used instead of full description this is a less error prone approach.

To get the privilege ID, run “get-viprivilege “privilege name” | ft name, id

<?xml version="1.0" encoding="utf-8" ?>
Role action: valid verbs = AddRole, Add, Remove
   <vCenter Name="vcenter1"></vCenter>
   <Role Name="Role1" Action="Remove">
   <Role Name="Role2" Action="Add">
   <Role Name="TEST2" Action="AddRole">
   <Permission Principal="\user1" Role="TEST2" />

The script is below loops through the xml and does work accordingly. The logging is very basic, you can have more error trapping if you want and better logging functions.


   Script to add roles, permissions and add/remove privileges in vCenters

   This script is used to add new roles, add new permission and update (add/remove) privileges for roles already defined in vCenters. For new permissions, it will default to root folder (i.e. VC level) and propagate.

 .PARAMETER rbacxml
   XML file that contains required updates (read XML file for format)

   # Update roles in XML file
   Update-RBAC.ps1 .\rbac.xml


[string]$ScriptPath = Split-Path -Path $MyInvocation.MyCommand.Path -Parent
[string]$ScriptFile = Split-path -Path $MyInvocation.MyCommand.Path -Leaf
[string]$ScriptName = []::GetFilenameWithoutExtension($ScriptFile)
[string]$LogFileName = "$ScriptName-" + (Get-Date -Format "yyyyMMdd_HHmmss") + ".log"
[string]$LogFile = Join-Path $ScriptPath "$LogFileName"

[xml]$rbac = get-content $rbacxml ;

if ($global:defaultviservers.count -gt 0) { disconnect-viserver * -confirm:$false -force }

foreach ( $vc in $rbac.inventory.vcenters.vcenter) {
  connect-viserver $
  " ***** $($ **** " | out-file $Logfile -append

  foreach ( $role in $rbac.inventory.roles.role) {

    if ($role.action -match "addrole") {

      # Only need to add new role once
      if ((Get-virole $ -ea silentlycontinue).name -ne $ {
        "Role = $($ Adding New role"
        New-VIRole $ -ea silentlycontinue | out-null
        if ($error.count -eq 0) { "SUCCESS: Add Role = $($" | out-file $LogFile -append }
        else { "ERROR Adding New Role: Role = $($" | out-file $LogFile -append }

    # Only apply if the role is valid for this vCenter
    if (get-virole $ -server $ -ea silentlycontinue) { 

      foreach ($privilege in $role.privilege) {
        if ($role.action -match "add") {
          "Role = $($ Adding Privilege = $privilege"
          Set-VIRole -Role $ -AddPrivilege (Get-VIPrivilege -id $privilege) -ea silentlycontinue | out-null
          if ($error.count -eq 0) { "SUCCESS: Role = $($, AddPrivilege = $privilege" | out-file $LogFile -append }
          else { "ERROR Adding privilege: Role = $($, AddPrivilege = $privilege" | out-file $LogFile -append }
        elseif ($role.action -match "remove") {
          "Role = $($ Removing Privilege = $privilege"
          Set-VIRole -Role $ -RemovePrivilege (Get-VIPrivilege -id $privilege) -ea silentlycontinue | out-null
          if ($error.count -eq 0) { "SUCCESS: Role = $($, RemovePrivilege = $privilege" | out-file $LogFile -append }
          else { "ERROR Removing privilege: Role = $($, RemovePrivilege = $privilege" | out-file $LogFile -append }

 foreach ( $perm in $rbac.inventory.permissions.permission) {

   if ($perm.role) {
     "New Permission: Principal = $($perm.principal), Role = $($perm.role)"
     New-VIPermission -role $perm.role -principal $perm.principal -entity (get-folder -NoRecursion) -Propagate $true -ea SilentlyContinue | out-null
     if ($error.count -eq 0) { "SUCCESS: Permission added for: Principal = $($perm.principal), Role = $($perm.role), entity = root, propagate = true" | out-file $LogFile -append }
     else { "ERROR Adding permission: Principal = $($perm.principal), Role = $($perm.role)" | out-file $LogFile -append }

 disconnect-viserver $ -confirm:$false -force


"Please checke $Logfile for complete status"

Leave a comment

Posted by on March 12, 2015 in powershell, Scripts, vmware


Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: