WilliamLam.com

Quick Tip - Listing all vSphere Privilege Definitions

by // Leave a Comment

By design, the vSphere platform (includes vCenter Server and ESXi) is highly extensible and additional vSphere Events and Privileges can added by 2nd and 3rd party solutions. Similiar to vSphere Events, where you can query your specific vCenter Server (or ESXI hosts) to list all vSphere Event definitions, you can also do the same for vSphere Privileges.

Using PowerCLI, we can use the Get-VIPrivilege cmdlet to help list out the vSphere Privilege Groups and the specific granular vSphere Privileges that exists within deployment.

Here is an example of listing all the different vSphere Privilege Groups that have been defined, either out of the box and/or by 2nd or 3rd party solution:

Get-VIPrivilege -PrivilegeGroup | select id,Description | Sort-Object -Property Id


As of vCenter Server 8.0 Update 3c, there are currently 111 out of the box vSphere Privilege Groups, you may have more or less depending on your version and the number of 2nd/3rd party integrations.

Here is an example of listing all the vSphere Privilege definitions that have been defined, either out of the box and/or by 2nd or 3rd party solution:

Get-VIPrivilege -PrivilegeItem | select id,Description | Sort-Object -Property Id


As of vCenter Server 8.0 Update 3c, there are currently 473 out of the box vSphere Privileges, you may have more or less depending on your version and the number of 2nd/3rd party integrations.

Additionally, you may also find these other vSphere Authorization blog posts useful:

Enhancements to VMware Cloud Foundation (VCF) & vSphere Automated Lab Deployment Scripts

by // 1 Comment

Simplicity is something I try to strive for when creating automation, whether that is for myself or for our customers. When I develop a script, I try to keep everything within a single file, so that it is easy to share and consume. As a script increases in functionality, it may be useful to break out some of its functions, typically libraries or modules.

I was recently debugging an issue with my popular automated lab deployment script for VMware Cloud Foundation (VCF) and while looking through the script that the user had been using, I found numerous variables that were commented out and replaced with their own values, which looked like they had different configuration and environments where they were using this single script.

It then hit me, why have I not considered externalizing all the variables that the script relied on, such that a user could easily supply different configuration options without needing to edit the primary deployment script!? 😅

[Read more...]

Quick Tip - Audit vCenter Server Role & Permission Usage

by // 2 Comments

vCenter Server ships out of the box a number of system and custom roles, which can be used or users can create their own custom roles containing the required privileges. If you wanted to understand which roles are actively being used, the following PowerCLI snippet can help provide insights to roles that have been assigned. Furthermore, the script will also output to a file, that contains all he privileges defined for the vCenter Roles that are in active use.

$roles = Get-VIRole
$permissions = Get-VIPermission

$results = @{}
foreach ($permission in $permissions) {
    $role = $permission.Role
    if($results.ContainsKey($role)) {
        $results[$role]+=1
    } else {
        $results[$role]=1
    }
}

Write-Host "`nTotal Roles: $($roles.count)"
Write-Host "Total Roles Used: $($results.count)"
Write-Host "Role Usage:"

$results.GetEnumerator() | Sort-Object -Property Value -Descending

$outfile = "used-roles.txt"
foreach ($key in $results.keys) {
    $role = Get-VIRole $key
    if(!$role.IsSystem) {
        $key | Out-File -Append -LiteralPath $outfile
        "=========================================================" | Out-File -Append -FilePath $outfile
        $role.ExtensionData.Privilege | Out-File -Append -LiteralPath $outfile
        "" | Out-File -Append -LiteralPath $outfile
    }
}

Here is an example output of running the script:


Here is an example output from used-roles.txt file that is generated, which contains the list of privileges for each role that is in use: