Notes of a scripter

Export vCenter Roles and Permissions with PowerCLI

This doesn’t seem like a difficult task, but configuring new roles in vCenter is just terrible. On my team at work we have one guy that does it all the time. When he does have to configure a new role he complains a lot about it, but because its so tedious. So when it can time for me to have to duplicate a role that we already have in one vCenter to another one, I wanted to see how difficult it would be to export the needed privileges and import them. Trying to match up all of the checkboxes just isn’t for me.

So after messing around in the PowerCLI console, I used the cmdlet Get-VIRole. This listed all of the vCenter Roles and whether it was a system role or not. Which seems like a built-in role. So I found the role that I needed and used the cmdlet to target the role I was looking to export.

So after running (Get-VIRole -name “Role Name”).extensiondata, I was able to find there is a Privilege property. Which looks like the permissions that are assigned to the role. So running (Get-VIRole -name “Role Name”).ExtensionData.Privilege results in the needed permissions. So I out-file this data to a txt file so i can then add it to the other vCenter.

ContentLibrary.AddLibraryItem
ContentLibrary.CreateLocalLibrary
ContentLibrary.CreateSubscribedLibrary
ContentLibrary.DeleteLibraryItem
ContentLibrary.DeleteLocalLibrary
ContentLibrary.DeleteSubscribedLibrary
ContentLibrary.DownloadSession
ContentLibrary.EvictLibraryItem
ContentLibrary.EvictSubscribedLibrary

VirtualMachine.Provisioning.Customize
VirtualMachine.Provisioning.DeployTemplate
VirtualMachine.Provisioning.DiskRandomAccess
VirtualMachine.Provisioning.DiskRandomRead
VirtualMachine.Provisioning.FileRandomAccess
VirtualMachine.Provisioning.ModifyCustSpecs
VirtualMachine.Provisioning.ReadCustSpecs
VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot
VirtualMachine.State.RenameSnapshot
VirtualMachine.State.RevertToSnapshot

Above is the results of the extracted role.

Now that I have the permissions, i just need to create the new role and assign these privileges.

$Role = New-VIRole -Name "New Role Name"
$privilege = Get-content C:\Scripts\Logs\ExtractedRole.txt
$privilege | foreach {Set-VIRole -role $role -AddPrivilege (get-viprivilege -id $_) }

Once it has finished looping all of the privileges, the new role is now ready to be used.

-Stuart

Exit mobile version