WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Automating vSphere Global Permissions with PowerCLI

Automating vSphere Global Permissions with PowerCLI

03.06.2017 by William Lam // 6 Comments

vSphere Global Permissions was first introduced in vSphere 6.0, which provides a simple and consistent method for assigning permissions for individual users and/or groups across multiple vCenter Servers joined to the same vCenter Single Sign-On (SSO) Domain. Global permissions works in the same way as traditional vSphere Permissions, but rather than assigning a permission to a specific entity, the association is applied at the root level of the vCenter Server.

The other added benefit for customers who are using vCenter's Enhanced Linked Mode (ELM), the global permission will be available to all vCenter Servers which are part of that ELM configuration. Without global permissions, a customer would have to create and assign a new permission to each and every vCenter Server and ensure that they all match which can be very error prone.

One downside to using vSphere Global Permissions today is that there is currently not a public API for those wanting to automate the creation and deletion of global permissions. However, as quick workaround, I have found a way in which you can automate the global permission management using the vSphere MOB which would allow us to use PowerCLI or any other vSphere Automation toolkit for that matter.

UPDATE (04/07/25) - See this updated blog post for listing vSphere Global Permissions.

I have created a simple PowerShell script called GlobalPermissions.ps1 which contains two functions New-GlobalPermission and Remove-GlobalPermission which hopefully is self explanatory in what they do.

To create a new vSphere Global Permission, the function requires the following 6 parameters:

  • vc_server - Hostname or IP of the vCenter Server
  • vc_username - The VC username
  • vc_password - The VC password
  • vc_user - The vSphere User to assign the permission to
  • vc_role_id - The Role ID associated with the vSphere Role within vCenter Server (more on this later)
  • propagate - true or false on whether to propagate the permission

To retrieve the vc_role_id, you simply need access to a vCenter Server and run the following snippet along with the name of the vSphere Role to get its ID. In the example below, the Administrator role is called "Admin" using the vSphere API and the following will return the ID:

(Get-VIRole -Name Admin).ExtensionData.RoleId

Once you have retrieved the vSphere Role ID, here is an example of running the New-GlobalPermission function:

$vc_server = "192.168.1.51"
$vc_username = "*protected email*"
$vc_password = "VMware1!"
$vc_role_id = "-1"
$vc_user = "VGHETTO\lamw"
$propagate = "true"
New-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vc_user $vc_user -vc_role_id $vc_role_id -propagate $propagate

If the operation was successful, you should be able to login using the vSphere Web Client and refresh the global permissions view and you should see the new permission assignment as shown in the screenshot below.

To remove a global permission, you only need to provide the vCenter Server, its credentials and the user permission you wish to remove:

Remove-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vc_user $vc_user

More from my site

  • How to automate vSphere MOB operations using PowerShell?
  • Quick Tip - Listing vSphere Global Permissions using PowerShell
  • Quick Tip - Retrieving vSAN File Share Network Permissions using vSAN API & PowerCLI
  • Quick Tip - Using PowerCLI to query VMware Tools Configuration at scale 
  • Managing vSAN internet connectivity configuration using the vSAN API

Categories // Automation, PowerCLI Tags // global permission, mob, PowerCLI

Comments

  1. *protectedJP says

    09/22/2017 at 2:01 am

    Hello, very helpfull script. I used it to automatize my infra deployement.
    I've just a question about that. How to add groups instead of users in the global permissions ?

    If you have an idea...
    Many thanks and good job

    Reply
    • *protectedtekillalinz says

      05/23/2019 at 4:11 am

      line 68
      vmware-session-nonce=$sessionnonce&permissions=%3Cpermissions%3E%0D%0A+++%3Cprincipal%3E%0D%0A++++++%3Cname%3E$vc_user_escaped%3C%2Fname%3E%0D%0A++++++%3Cgroup%3Etrue%3C%2Fgroup%3E%0D%0A+++%3C%2Fprincipal%3E%0D%0A+++%3Croles%3E$vc_role_id%3C%2Froles%3E%0D%0A+++%3Cpropagate%3E$propagate%3C%2Fpropagate%3E%0D%0A%3C%2Fpermissions%3E

      change "group%3Efalse" to "group%3Etrue"

      Reply
      • *protectedMatthew Meyer says

        05/13/2021 at 4:20 pm

        Thank you! Just what I needed too 🙂

        Reply
  2. *protectedArnaud says

    03/06/2019 at 1:44 am

    Hi,

    Is it possible to use it on a docker PowerCLICore hosted by a Linux?

    With the New-GlobalPermission function, when I try to add the type, I raise an error :
    The type or namespace name 'ICertificatePolicy' could not be found (are you missing a using directive or an assembly reference?)

    Is that because a Windows host is needed? (Adding the type on a Windows works)

    Thanks for your help!

    Reply
  3. *protectedwired2work says

    09/06/2019 at 7:52 pm

    This was a great help, but now I need to change the password on the *protected email*, any thoughts on making this happen? powercli commands don't seem to work on the SSO objects.

    Reply
  4. *protectedChandan says

    10/10/2019 at 11:29 pm

    Some how adding the global permission isn't working through this script.

    When I tried to debug the script I can see that the status code of the $results which is the result of invocation "$results = Invoke-WebRequest -Uri $mob_url -WebSession $vmware -Method POST -Body $body)" to be 200.

    I am using VCSA 10244857-6.7 U1 with embedded PSC.

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...