vSphere Global Permissions was first introduced in vSphere 6.0, which provides a simple and consistent method for assigning permissions for individual users and/or groups across multiple vCenter Servers joined to the same vCenter Single Sign-On (SSO) Domain. Global permissions works in the same way as traditional vSphere Permissions, but rather than assigning a permission to a specific entity, the association is applied at the root level of the vCenter Server.
The other added benefit for customers who are using vCenter's Enhanced Linked Mode (ELM), the global permission will be available to all vCenter Servers which are part of that ELM configuration. Without global permissions, a customer would have to create and assign a new permission to each and every vCenter Server and ensure that they all match which can be very error prone.
One downside to using vSphere Global Permissions today is that there is currently not a public API for those wanting to automate the creation and deletion of global permissions. However, as quick workaround, I have found a way in which you can automate the global permission management using the vSphere MOB which would allow us to use PowerCLI or any other vSphere Automation toolkit for that matter.
I have created a simple PowerShell script called GlobalPermissions.ps1 which contains two functions New-GlobalPermission and Remove-GlobalPermission which hopefully is self explanatory in what they do.
To create a new vSphere Global Permission, the function requires the following 6 parameters:
- vc_server - Hostname or IP of the vCenter Server
- vc_username - The VC username
- vc_password - The VC password
- vc_user - The vSphere User to assign the permission to
- vc_role_id - The Role ID associated with the vSphere Role within vCenter Server (more on this later)
- propagate - true or false on whether to propagate the permission
To retrieve the vc_role_id, you simply need access to a vCenter Server and run the following snippet along with the name of the vSphere Role to get its ID. In the example below, the Administrator role is called "Admin" using the vSphere API and the following will return the ID:
(Get-VIRole -Name Admin).ExtensionData.RoleId
Once you have retrieved the vSphere Role ID, here is an example of running the New-GlobalPermission function:
$vc_server = "192.168.1.51"
$vc_username = "*protected email*"
$vc_password = "VMware1!"
$vc_role_id = "-1"
$vc_user = "VGHETTO\lamw"
$propagate = "true"
New-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vc_user $vc_user -vc_role_id $vc_role_id -propagate $propagate
If the operation was successful, you should be able to login using the vSphere Web Client and refresh the global permissions view and you should see the new permission assignment as shown in the screenshot below.
To remove a global permission, you only need to provide the vCenter Server, its credentials and the user permission you wish to remove:
Remove-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vc_user $vc_user
JP says
Hello, very helpfull script. I used it to automatize my infra deployement.
I've just a question about that. How to add groups instead of users in the global permissions ?
If you have an idea...
Many thanks and good job
tekillalinz says
line 68
vmware-session-nonce=$sessionnonce&permissions=%3Cpermissions%3E%0D%0A+++%3Cprincipal%3E%0D%0A++++++%3Cname%3E$vc_user_escaped%3C%2Fname%3E%0D%0A++++++%3Cgroup%3Etrue%3C%2Fgroup%3E%0D%0A+++%3C%2Fprincipal%3E%0D%0A+++%3Croles%3E$vc_role_id%3C%2Froles%3E%0D%0A+++%3Cpropagate%3E$propagate%3C%2Fpropagate%3E%0D%0A%3C%2Fpermissions%3E
change "group%3Efalse" to "group%3Etrue"
Matthew Meyer says
Thank you! Just what I needed too 🙂
Arnaud says
Hi,
Is it possible to use it on a docker PowerCLICore hosted by a Linux?
With the New-GlobalPermission function, when I try to add the type, I raise an error :
The type or namespace name 'ICertificatePolicy' could not be found (are you missing a using directive or an assembly reference?)
Is that because a Windows host is needed? (Adding the type on a Windows works)
Thanks for your help!
wired2work says
This was a great help, but now I need to change the password on the *protected email*, any thoughts on making this happen? powercli commands don't seem to work on the SSO objects.
Chandan says
Some how adding the global permission isn't working through this script.
When I tried to debug the script I can see that the status code of the $results which is the result of invocation "$results = Invoke-WebRequest -Uri $mob_url -WebSession $vmware -Method POST -Body $body)" to be 200.
I am using VCSA 10244857-6.7 U1 with embedded PSC.