Parsing complex HTML is definitely challenging, even with PowerShell. I had hoped to use the free tier of ChatGPT and their latest 4o model to help build a PowerShell function for HTML parsing, but I kept running into system limits and the AI often misunderstood what I was asking for.
I finally gave in and purchased the $20 subscription so that I could expand on my 2017 blog post about automating vSphere Global Permissions and add support for listing global permissions, which came at a request from a recent user.
It turns out calling the private vSphere Global Permissions API via the vSphere MOB to show all current vSphere Global Permissions is extremely difficult due to the complex HTML that is rendered by the vSphere MOB. In fact, it took 25 iterations before I finally arrived at the solution using ChatGPT's 4o model. In several of the iterations, it ended up going backwards in progress, so that was pretty annoying!
Not sure if this is the new fancy "vibe coding" trend that I had experienced ... 😅
Download the latest GlobalPermissions.ps1 file which contains a new function called Get-GlobalPermission which will retrieve all vSphere Global Permissions including the principal name, assigned vSphere Role and where the role is defined at (global permission vs inventory permission)
Below is an example of using the new function, which will require you to run the Connect-VIServer, as that is required to correlate between the vSphere Role ID provided by the function and the actual vSphere Role Name provided by the native PowerCLI cmdlet.
$vc_server = "vc03.williamlam.local" $vc_username = "*protected email*" $vc_password = "VMware1!" $server = Connect-VIServer -Server $vc_server -User $vc_username -Password $vc_password Get-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password Disconnect-viserver $server -confirm:$false
Here is a screenshot of the output, which you can further process as the function returns an array of PowerShell objects.
I know many users have been asking for an easier way to automate vSphere Global Permissions, I can only say that we have heard you loud and clear and this will be addressed in the near future 🙂
William,
Thanks for looking into this so quickly. I hope this is something you were planning to look at anyway.
It seems to be working very well for what I want to do, with two very minor issues.
One, on line 29 where you have VSPHERE\.LOCAL hardcoded that is causing the loop not to match any of the groups that are based on our AD users instead of our local users. I can replace the VSPHERE\.LOCAL with our AD domain and it will instead pick up the AD groups and not the local groups, I'll try to work out a regex that will pickup both.
Two, In the rare case where a permission is defined for the same Principal on an object and globally, the script reports two lines with both Roles, but there is no way to see which is truly Global. This is part of what I am trying to audit, we have too many duplicate permissions with different roles for the same users.
Actually though, just being able to identify which principal has a duplicate role defined is a big win, so it may already be good enough.
See the updated script, as it now addresses both scenarios 🙂
```
$nameMatch = [regex]::Match($nested, 'name.*?([A-Z.]+\\[^<]+)', 'Singleline')
This seems to fix the first issue for me. I'm not great with github or maybe I could figure out how to pull request. Maybe given enough time I could still figure it out.
Beautiful Soup is elegant and powerful (IMHO) but is limited to Python. Maybe craft a small Python module to call from PowerShell? https://beautiful-soup-4.readthedocs.io/en/latest/
HA! Yea, ChatGPT did recommend/ask me a few times on whether I would be open to Python solution as it might be more elegant. I had to be persistent in asking for a pure PowerShell Core (not relying on additional modules which was another option it had suggested)
I recently installed power validated solutions powershell module AKA VVS
https://vmware.github.io/power-validated-solutions-for-cloud-foundation/install/
and doing
get-help *permission* | Format-Table -AutoSize
will list Get-GlobalPermission as a Function of PowerValidatedSolutions module
i'm not sure if the function from the module is the same as GlobalPermissions.ps1, here how it goes using the VVS module.
but i noticed differences, first the module should be installed prior to use the function, secondly the way to connect is using an addition function.
using it Connect-VIServer return an error where there is mob, since GlobalPermissions.ps1 also used mob and the similar function come from the VVS module, i searched how to connect this way, instead of get-help using get-command provide -module switch
get-command *connect* -Module PowerValidatedSolutions | Format-Table -AutoSize
then i found
get-help Connect-vSphereMobServer -Examples
Connect-vSphereMobServer -server sfo-m01-vc01.sfo.rainpole.io -username *protected email* -password VMw@re1!
$server = Connect-VIServer -Server $vc_server -User $vc_username -Password $vc_password
Connect-vSphereMobServer -server $vc_server -username $vc_username -password $vc_password
Get-GlobalPermission
similarly remember to disconnect (for security reasons) with
Disconnect-vSphereMobServer $server -confirm:$false
Disconnect-viserver $server -confirm:$false
i noticed on powershell 7.4 on windows a popup that can be closed.
finally the only difference in the resulted table is that the column "Definition" is not there on the PowerValidatedSolutions function, instead there is "Propagate" column.
Hope it help
Looks like they may have copied my functions/etc. Best to report this on VVS GH if you want simliar output as this new function
That latest version is nice.
Yeah, I thought there had to be an easier way to deal with the HTML. I spent a few hours just trying to pass the Value parameter to Select-Xml which should let you just do simple XPath query on it, but I couldn't get Select-Xml to accept the output of over half the rows returned. It implied that the xml was invalid, but I couldn't see why and I finally gave up. Then I read you had a new version and couldn't see anything I could improve anyway.
I have done the Global Permission Topic in the past with the PS Module VIPerms: https://www.powershellgallery.com/packages/VIPerms/0.0.6
It work good until now.
But i have now seen that a Bug exists in the function New-VIGlobalPermission.
The Permissions will be set correctly in the vCenter, but for example Content Library i cannot see. (Role has the Permissions).
When i add the User the Global Permission with the same role manually, it works.
Maybe you can use these Module for Template and rewrite that it works?
Someone had indeed pointed me to your work, nice! As mentioned in the blog post, this uses a different method all together which is more comprehensive as it includes both non-global & global permissions. Not say your module didn't do job, just wasn't aware (especially when I did an initial search).
I too ran into issues using your module initially, but this solution works with latest release.
Not sure I follow your CL comments, since the ability to consume CL is purely defined by Global Permissions, you don't associate a specific CL, so not sure if you're referring to something else