WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Quick Tip - Listing vSphere Global Permissions using PowerShell

Quick Tip - Listing vSphere Global Permissions using PowerShell

04.07.2025 by William Lam // 10 Comments

Parsing complex HTML is definitely challenging, even with PowerShell. I had hoped to use the free tier of ChatGPT and their latest 4o model to help build a PowerShell function for HTML parsing, but I kept running into system limits and the AI often misunderstood what I was asking for.

I finally gave in and purchased the $20 subscription so that I could expand on my 2017 blog post about automating vSphere Global Permissions and add support for listing global permissions, which came at a request from a recent user.

It turns out calling the private vSphere Global Permissions API via the vSphere MOB to show all current vSphere Global Permissions is extremely difficult due to the complex HTML that is rendered by the vSphere MOB. In fact, it took 25 iterations before I finally arrived at the solution using ChatGPT's 4o model. In several of the iterations, it ended up going backwards in progress, so that was pretty annoying!

Not sure if this is the new fancy "vibe coding" trend that I had experienced ... 😅

Download the latest GlobalPermissions.ps1 file which contains a new function called Get-GlobalPermission which will retrieve all vSphere Global Permissions including the principal name, assigned vSphere Role and where the role is defined at (global permission vs inventory permission)

Below is an example of using the new function, which will require you to run the Connect-VIServer, as that is required to correlate between the vSphere Role ID provided by the function and the actual vSphere Role Name provided by the native PowerCLI cmdlet.

$vc_server = "vc03.williamlam.local"
$vc_username = "*protected email*"
$vc_password = "VMware1!"

$server = Connect-VIServer -Server $vc_server -User $vc_username -Password $vc_password

Get-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password

Disconnect-viserver $server -confirm:$false

Here is a screenshot of the output, which you can further process as the function returns an array of PowerShell objects.


I know many users have been asking for an easier way to automate vSphere Global Permissions, I can only say that we have heard you loud and clear and this will be addressed in the near future 🙂

More from my site

  • Updated Dashboard for VMware Community Homelabs using Dashimo
  • How to automate adding a license into vCenter Server with custom label? 
  • PowerShell community module for Application Transformer for VMware Tanzu
  • Quick Tip - How to disable viewing of vSphere Tags?
  • Monitoring vSphere account password & permission changes 

Categories // Automation, PowerCLI, vSphere Tags // global permission, powershell

Comments

  1. *protectedpauljbardo says

    04/07/2025 at 12:50 pm

    William,

    Thanks for looking into this so quickly. I hope this is something you were planning to look at anyway.

    It seems to be working very well for what I want to do, with two very minor issues.

    One, on line 29 where you have VSPHERE\.LOCAL hardcoded that is causing the loop not to match any of the groups that are based on our AD users instead of our local users. I can replace the VSPHERE\.LOCAL with our AD domain and it will instead pick up the AD groups and not the local groups, I'll try to work out a regex that will pickup both.

    Two, In the rare case where a permission is defined for the same Principal on an object and globally, the script reports two lines with both Roles, but there is no way to see which is truly Global. This is part of what I am trying to audit, we have too many duplicate permissions with different roles for the same users.

    Actually though, just being able to identify which principal has a duplicate role defined is a big win, so it may already be good enough.

    Reply
    • William Lam says

      04/07/2025 at 4:00 pm

      See the updated script, as it now addresses both scenarios 🙂

      Reply
  2. *protectedpauljbardo says

    04/07/2025 at 1:13 pm

    ```
    $nameMatch = [regex]::Match($nested, 'name.*?([A-Z.]+\\[^<]+)', 'Singleline')

    This seems to fix the first issue for me. I'm not great with github or maybe I could figure out how to pull request. Maybe given enough time I could still figure it out.

    Reply
  3. *protectedBart Smit says

    04/07/2025 at 11:10 pm

    Beautiful Soup is elegant and powerful (IMHO) but is limited to Python. Maybe craft a small Python module to call from PowerShell? https://beautiful-soup-4.readthedocs.io/en/latest/

    Reply
    • William Lam says

      04/08/2025 at 6:36 am

      HA! Yea, ChatGPT did recommend/ask me a few times on whether I would be open to Python solution as it might be more elegant. I had to be persistent in asking for a pure PowerShell Core (not relying on additional modules which was another option it had suggested)

      Reply
  4. *protectedAbbed Sedkaoui says

    04/08/2025 at 5:44 am

    I recently installed power validated solutions powershell module AKA VVS

    https://vmware.github.io/power-validated-solutions-for-cloud-foundation/install/

    and doing
    get-help *permission* | Format-Table -AutoSize

    will list Get-GlobalPermission as a Function of PowerValidatedSolutions module

    i'm not sure if the function from the module is the same as GlobalPermissions.ps1, here how it goes using the VVS module.

    but i noticed differences, first the module should be installed prior to use the function, secondly the way to connect is using an addition function.

    using it Connect-VIServer return an error where there is mob, since GlobalPermissions.ps1 also used mob and the similar function come from the VVS module, i searched how to connect this way, instead of get-help using get-command provide -module switch

    get-command *connect* -Module PowerValidatedSolutions | Format-Table -AutoSize

    then i found

    get-help Connect-vSphereMobServer -Examples

    Connect-vSphereMobServer -server sfo-m01-vc01.sfo.rainpole.io -username *protected email* -password VMw@re1!

    $server = Connect-VIServer -Server $vc_server -User $vc_username -Password $vc_password
    Connect-vSphereMobServer -server $vc_server -username $vc_username -password $vc_password
    Get-GlobalPermission

    similarly remember to disconnect (for security reasons) with

    Disconnect-vSphereMobServer $server -confirm:$false
    Disconnect-viserver $server -confirm:$false

    i noticed on powershell 7.4 on windows a popup that can be closed.

    finally the only difference in the resulted table is that the column "Definition" is not there on the PowerValidatedSolutions function, instead there is "Propagate" column.

    Hope it help

    Reply
    • William Lam says

      04/08/2025 at 6:40 am

      Looks like they may have copied my functions/etc. Best to report this on VVS GH if you want simliar output as this new function

      Reply
  5. *protectedpauljbardo says

    04/08/2025 at 12:17 pm

    That latest version is nice.

    Yeah, I thought there had to be an easier way to deal with the HTML. I spent a few hours just trying to pass the Value parameter to Select-Xml which should let you just do simple XPath query on it, but I couldn't get Select-Xml to accept the output of over half the rows returned. It implied that the xml was invalid, but I couldn't see why and I finally gave up. Then I read you had a new version and couldn't see anything I could improve anyway.

    Reply
  6. *protectedWolfi says

    04/10/2025 at 2:44 am

    I have done the Global Permission Topic in the past with the PS Module VIPerms: https://www.powershellgallery.com/packages/VIPerms/0.0.6

    It work good until now.

    But i have now seen that a Bug exists in the function New-VIGlobalPermission.
    The Permissions will be set correctly in the vCenter, but for example Content Library i cannot see. (Role has the Permissions).
    When i add the User the Global Permission with the same role manually, it works.

    Maybe you can use these Module for Template and rewrite that it works?

    Reply
    • William Lam says

      04/10/2025 at 7:13 am

      Someone had indeed pointed me to your work, nice! As mentioned in the blog post, this uses a different method all together which is more comprehensive as it includes both non-global & global permissions. Not say your module didn't do job, just wasn't aware (especially when I did an initial search).

      I too ran into issues using your module initially, but this solution works with latest release.

      Not sure I follow your CL comments, since the ability to consume CL is purely defined by Global Permissions, you don't associate a specific CL, so not sure if you're referring to something else

      Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...